[timtadh]

Probably not the best idea to just tack the token onto the URL. There is a reason that people are not generally using tokens on URLs in lieu of cookies for session tokens. A better idea is to add a parameter in the POST body. This means that using this method all routes need a request body and you are therefore going to be mostly using POST in your API.

[albinowax_]

Agreed, definitely don't put a session token in the URL. I'd recommend using a custom HTTP header to transmit it - this way you aren't forced to use POST for everything.