Passing facebook access token from client to server

[zafeiris malafouris]

Hi all and thank you for the initiative for this open community!

I m new to REST APIs and I am currently working on a backend that will be mostly used by mobile apps, trying to keep in mind best practices and apply them when possible.

In my API, I use facebook authentication like this: clients are responsible to allow users sign in with facebook, and whenever a client interacts with my API, it should pass user's access token (through HTTPS), which will be used for authenticating user.

What's the best practice for passing this token? Should I do it as a parameter after the http question mark? (e.g. GET /api/users/123/profile?access_token=pq8pgHWX95bLZCML). Or maybe pass it somehow in the header of the request, as I would do in http basic authentication?

I am thinking it right at all?

I have posted the same question in stackoverflow as well, with no luck so far, so if you have any advice or hint, I'd be happy for some feedback, either here or in the SO post.

Thanks!

zafeiris