Myself and a couple colleagues have been doing some app development against the Canvas API for the last several months. Tested out calls using Postman and then built out the solution in whatever environment we needed to (it varied some). While the initial impression I/we've been given is that the applications we've built are using the tokens fine....in some troubleshooting scenarios we'd use the same production token in Postman to try and sort out where a breakdown may have occurred. 

We just got a message recently where we're being told that while using Postman we're sending the token in clear text and I'm befuddled where I/we've been going wrong. And while I won't say I know the in/outs of REST API calls, we're putting the token in a header parameter (not the url) and we're doing callouts to Canvas over SSL. Authorization is using a Bearer Token with the value specified, url is to https....

I'm totally willing to accept that I/we did something discouraged, but I'm struggling to figure out where that might have happened. A different colleague, not connected to the Canvas work offered that perhaps the token is being read/logged at the endpoint...at which point that would make more sense because at some point Canvas has to read it, validate it, on a basic level before doing what we're asking. 

We've got a follow up meeting scheduled for Monday, but its driving me nuts a little where I/we made a left turn because I'm just not seeing it. 

Thanks!