REST Authorization: Username/Password in Authorization Header vs JSON body

Question

I\'m using a token style authentication process. After the client has obtained a token, it is either set in the client\'s cookies (for Web) or the authorization headers of t

Answer 1

There's no added security in sending credentials in the Authorization header vs. a JSON body. The advantage in using the Authorization header is that you leverage on the standardized HTTP semantics, and you don't have to document exactly what clients should do. You can simply point them to the RFCs.

If you're concerned about being really RESTful, I'd say using the Authorization header instead of rolling your own method is a must.