It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235
More Related Contents:
- Designing URI for current logged in user in REST applications
- What exactly is RESTful programming?
- HTTP GET with request body
- RESTful Authentication
- 400 BAD request HTTP error code meaning?
- SOAP vs REST (differences)
- HTTP POST with URL query parameters — good idea or not?
- URL matrix parameters vs. query parameters
- What is the proper REST response code for a valid request but an empty data?
- HTTP response code for POST when resource already exists
- What is RESTful programming?
- Security of REST authentication schemes
- Update an entire resource collection in a REST way
- When is it appropriate to respond with a HTTP 412 error?
- How to do a PUT request with cURL?
- Call a Server-side Method on a Resource in a RESTful Way
- What REST PUT/POST/DELETE calls should return by a convention?
- RESTful – What should a DELETE response body contain
- Response status code for searches in REST APIs
- Hyphen, underscore, or camelCase as word delimiter in URIs?
- Status code when deleting a resource using HTTP DELETE for the second time
- REST API DESIGN – Getting a resource through REST with different parameters but same url pattern
- If REST applications are supposed to be stateless, how do you manage sessions?
- Transactions in REST?
- How to QUEUE a new build using VSTS REST API
- http_build_query with same name parameters
- Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
- REST vs JSON-RPC? [closed]
- HTTP Request in Android with Kotlin
- REST api: requesting multiple resources in a single get [duplicate]