For a POST request in my Restful API I want to record requests from certain users for audit purposes. I know who the users are in these cases so I can ask them to include their email address in the request. Since this is really metadata for the request, the From request header seems a natural place to require the email to be sent. However, I can't remember anyone ever actually using this header.
Would it feel strange to other developers to see the From header being used in a modern application?
The From header field is rarely sent by non-robotic user agents. A user agent SHOULD NOT send a From header field without explicit configuration by the user, since that might conflict with the user's privacy interests or their site's security policy.
A server SHOULD NOT use the From header field for access control or authentication, since most recipients will assume that the field value is public information.
My interpretation is that the From header is there to allow the client to volunteer information, not so that the server can require it. For your situation, where you control the clients, using the header is fine, but given that your intent is to "record requests from certain users for audit purposes" I would expect the Authorization header to be more appropriate.