this is because you copied the link with the token, token is generated for your logged in user. strip the token and it wouldn't work. other users does not have your token.
I’m sure there’s a good reason for that. I do it, in a server that I publish for general use, but won’t do it, for the server that I control, as I make sure that it reads headers.
Some PHP servers ignore auth headers (and, I suspect, other APIs), so you need to set general-purpose frameworks and servers to use GET arguments, but that’s a security issue, for exactly the reason you state. Too easy to leak logins. If you use headers, then copy and pasting URLs won’t leak logins.
In any case, the token should be timed, but that’s a fairly weak precaution.
reply