On every call to my REST API, I require clients to pass user's facebook access token, which authenticates the user. What's best practice for passing this token?
maybe as a parameter behind the HTTP question mark
GET /api/users/123/profile?access_token=pq8pgHWX95bLZCML
or somehow in the header of the request, similarly to HTTP basic authentication
- maybe a third option? (I've excluded passing it in a JSON because I want the token get passed in
GET
calls as well, so JSON wouldn't fit there I think)