Pass Access Token via Basic Auth vs Query String

Question

When designing an API, is it best to allow the client to pass an access token only via basic access authentication, as does the Stripe API, or only via query string, as does the Facebook's Graph API, or via both, as does the GitHub API?

Answer 1

As often comes up in similar threads, it is ideal/better to put it in the header. However, when it comes to compatibility or legacy technologies (JSONP) or insincere proxies (remove headers), you end up having to put it in the querystring.

In other words, you put it into the querystring in order to be as 'compatible' and accessible as possible to all client technologies.