Previously, authentication could only be done using a URL parameter,
which appears in various logs. Now, clients can authenticate using a
more appropriate HTTP header.