I have am trying to do a get request to api with blockcypher.com. In the docs they simply append the api token to the URL with ?token= or if it's part of multiple parameters &token=. What's the proper protocol for putting this in the headers to make sure that the token isn't sent in the URL for security reasons?
I already tried to do this formula
var client = _clientFactory.CreateClient(nameof(<Parent Function Name>));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", <API Token Here>);
This didn't work. My blockcypher account claims that no requests to my API were sent when I use the above code.
If the API you're calling doesn't support the Authorization header, there isn't anything you can do. From looking at BlockCypher's docs, they only appear to support passing the token as a URL parameter. The Authorization header is very standard, so not supporting it is odd.
This isn't as big of a security risk as you might think, as long as you are only doing server-to-server communication (not a browser or mobile app). When you use HTTPS, the request URL is encrypted (see Is an HTTPS query string secure?).