Pass access_token as Authorization Bearer token?

[auscompgeek]

Query parameters tend to get logged along with the rest of the URL, so probably prudent to pass the access_token via headers instead.

[poljar]

For this to work we'll need to make the API layer smarter.

It's a bit dumb that it returns just tuples, so expanding functionality there is not really possible.

We'll need to add a Request class that holds the path/method/body. All the API endpoints will then return this class instead of a tuple and set a flag on the class if authorization is required.

The client layer can then insert the access token any way it likes if it gets a Request object that requires authorization.

This is a breaking change for the API layer, to ease the transition we'll need to have a way to get from a Request object to a old fashioned tuple.

[mirukana]

There's another way I can think of, that can easily be implemented in the async client without breaking everything that relies on the API layer: in _send(), how about extracting the access_token out of the request URL, and adding it to the headers instead?

[poljar]

This is quite a hackish way, while we might want to do this to get this quickly, the correct way is to refactor the API to return a Request class that tells us if auth is required.