pass sensitive info into an AngularJS single-page app

Question 1

There is no way to get a POST param in a single page app, because you cannot POST to a client like a web browser; you can only POST to a server.

See this question.

When you make a POST request, your server interprets the variables and returns a resource (like an HTML page) in response. That page, by default, doesn't have access to any of the headers or data in the request that spawned it. The only reason that you can access GET params is because JavaScript can inspect the URL of the loaded page, which happens to be where the params are stored.

Some server scripting will be necessary, but it shouldn't be too hard. A quick and dirty answer would be to use server scripting to inject the POST params into JavaScript code (for example, in PHP)

echo "<script>doSpecialLogin(".$_POST['superSecretKey'].");</script>"

However, I would also highly recommend that you spend some time making sure that your method is actually secure, and maybe look into technologies like OAuth.

Question 2

A HTTP request is sent from a client to a server. You can send data back to the client from the server in two ways: headers and the response body. It works exactly the same for both POST and GET, with the difference that you can also send a request body with POST.

Now let us assume you are using AngularJS's $http.

$http.get(url) sends a GET request to the server. You capture the response using .success(callback) where callback is called with a parameter representing the response body.

$http.post(url, requestData) does exactly the same with requestData being the request body sent.

Where

function callback(responseBody) {
}

Server-side, in PHP, everything that your script outputs is sent back to the client and the responseBody parameter will contain it.

So, with POST, you use the request body to send data from client to server and the response body to send data from the server back to the client.

This whole "two step" process is a HTTP POST request.