4

When designing an API, is it best to allow the client to pass an access token only via basic access authentication, as does the Stripe API, or only via query string, as does the Facebook's Graph API, or via both, as does the GitHub API?

Improve this question

1 Answer 1

Reset to default
3

As often comes up in similar threads, it is ideal/better to put it in the header. However, when it comes to compatibility or legacy technologies (JSONP) or insincere proxies (remove headers), you end up having to put it in the querystring.

In other words, you put it into the querystring in order to be as 'compatible' and accessible as possible to all client technologies.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.