With the Facebook API and many others you can pass the access token via the request header or via a query parameter. ie both the following return a good response
curl https://graph.facebook.com/me?access_token=<VALID_ACCESS_TOKEN>
and
curl --header "Authorization: Bearer <VALID_ACCESS_TOKEN>" https://graph.facebook.com/me
But with the Instagram API, I can only get the first form to work and I can't find any reference to the second form in the Instagram developer pages
Am I missing some vital detail? It seems like the OAuth2 specification is pretty strongly suggesting the use of headers rather than query parameters. It is surprising that Instagram would ignore these "suggestions"
Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken.
Although not mentioned anywhere in the Instagram developer site (quite surprising), the Instagram API does not support using the Authorization header. Using the header returns a 404 error on endpoints. Only sending the access_token via POST body or GET query works.