如何通过AJAX-Call启动下载或使用SlimPHP在服务器上保护文件？

I am developing an AngularJS WebApp with SlimPHP as Backend.

I implemented a basic Token-Authentication (custom HTTP - header "x-myapp-auth"). The token is validated by my "User" middleware on every state change in the app via an AJAX-Call. There is the need for converting some JSON - Data to XLS, which I do on the server side within SlimPHP.

Now to my question: How can I

1. either secure my XLS files on the Server with my Auth-Token in Slim so that I can have a default download href to it in my app
2. make the Browser recognize I want to initiate a download, when I open a "XLS Stream" (sorry, I don't know how to describe it better) from my route in SlimPHP.

The output code for (2) would be:

header('Content-Type: application/vnd.ms-excel');
header('Content-Disposition: attachment;filename="'.$jsonData->title.'.xls"');
header('Cache-Control: max-age=0');
$objWriter = PHPExcel_IOFactory::createWriter($objPHPExcel, 'Excel5');
$objWriter->save('php://output');

But when I retrieve that output via AJAX, I can't make the browser initiate a file download.