Don't send 'data' when exchanging for a token

[SpraxDev]

I believe this is agains OAuth 2.0 and an /profile route should be used instead, giving the exchanged token an actual purpose.

We'd want to keep the route for backwards compatibility and introduce the 'new' endpoints at the /v2/ suffix.

[SpraxDev]

Update

There is now /api/v2/profile which you can contact to get the current profile in the exact same format Mojang provides it. Please use the access_token you exchanged and set the Authorization header: Authorization: Bearer THE_ACCESS_TOKEN.

Please update your apps to no longer use the data field as it is now considered deprecated and will be removed in the future.