Is it possible to configure below on LTMs?
Implement token based ACL in header (which web server/LB checks before allowing access to websites). This token needs to be valid for a very short time and should automatically expire after say 7 days, this blocking access to ACC (unless renewed for another testing). The client’s needs to send this secret token in HTTP header to be able to access this website.
sure, shouldn't be that hard. BIG-IP can check the header for sure. it can check if the token is allowed in table and once it is used start a timer.
main thing is how to determine which tokens are valid and how the users get them. if you want to automate that things become more tricky, but it probably can be build.