Broken Authentication - Predictable Reset Token

Me again ;), Having an issue with this question. I understand that the token is created by using the time requested and the username so when I request the htbuser token it will also generate the htbadmin token within time-1000 and time+1000, I am just confused with the headers in the script.

The Now header, is that the server time so the time you request the token>
Start time, is this just the Now time - 1 second.
Does it need an extra header added ?

I am just confused, any help would be great. In the meantime I will do the questions after this

Did you get it