From ca87876f1ba2a16f88a60ae9880d1db54ddf496b Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Wed, 15 Aug 2018 16:37:52 -0600 Subject: [PATCH] Clarify that the Authorization header is preferred --- specification/client_server_api.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst index 27cd9a0f..e64572ab 100644 --- a/specification/client_server_api.rst +++ b/specification/client_server_api.rst @@ -207,6 +207,11 @@ support: 1. Via a query string parameter, ``access_token=TheTokenHere``. #. Via a request header, ``Authorization: Bearer TheTokenHere``. +Clients are encouraged to use the ``Authorization`` header where possible +to prevent the access token being leaked in access/HTTP logs. The query +string should only be used in cases where the ``Authorization`` header is +unaccessible for the client. + When credentials are required but missing or invalid, the HTTP call will return with a status of 401 and the error code, ``M_MISSING_TOKEN`` or ``M_UNKNOWN_TOKEN`` respectively.