Access Token in GET Request

Why is it fine to send access token to resource server in a GET request

In a header - Authorization header as Bearer

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

“the header is not logged anywhere”? - to verify. Maybe wrong. Find the correct.

Following were a little helpful (must read):

1. https://security.stackexchange.com/questions/229892/sending-token-through-get-vs-post
2. https://security.stackexchange.com/questions/188975/is-a-redirect-showing-the-password-in-plain-text-a-security-vulnerability/188995#188995

In query param

A contrasting answer saying why it can be ok:

From: https://security.stackexchange.com/questions/158541/sending-access-token-through-get-request

As explained here, sensitive data in the URL query part (such as a secret API token) is primarily an issue if the URL is accessed directly in the browser and therefore visible in the URL bar as well as stored in the browser history.

But API requests are usually performed in the background of an app or via a background AJAX request and therefore you’re much less likely to run into a situation where the plain API request URL is presented to a user. Therefore the dangers of sensitive data in the URL are negligible for an API.

Also note that over HTTPS the full HTTP request is encrypted, including the query part. Only the hostname (api.instagram.com) would be exposed to a MITM as a side effect of SNI.