How can I verify that the server sending a HTTP request is who I expect?

I want to make a basic code protection system, where the software runs on a permitted webserver and does an Am_I_Allowed? HTTP request to my server. My server would then determine the server sending the request, and check against a whitelist.

IP address is out, because if the protected code runs on a shared hosting server it will return the IP address of the hosting company. $_SERVER[‘REMOTE_HOST’] is based off the IP address, which will resolve the web hosting company’s domain name.

Is there anything unique (and difficult to spoof) that a server can send in a HTTP request and used for authentication? A simple password wouldn’t work, since if you did copy ‘n paste to another server, the second server would also have a valid password embedded in the code.

Many thanks