Official implementation does not support it, for now you would need to use polyfill for that, for example: GitHub - Yaffle/EventSource: a polyfill for http://www.w3.org/TR/eventsource/
Also there is a lot of talk about EventSource already being legacy api and no one is developing it for further support, but there is no good alternative either. Just the fetch stream api, but it is not that well supported either it seems.
As for tokens, it would best practice to use cookies for authorization concerns instead of custom headers, at least in public facing api-s.