Hi folks, is there any way to pass app_key as a header rather than URL parameter?
The main driver for this is URLs generally not being considered sensitive - they are saved in browser history and included in library error messages, e.g. this one from Go’s net/http:
Get "https://api.tfl.gov.uk/BikePoint?app_key=<redacted>": context deadline exceeded
While there are of course ways to sanitise logs, the standard Authorization HTTP header is likely to be treated with more care by default.
Thanks!
