[justsomehnguy]

> Usually in REST APIs the auth token is passed via some HTTP header.

Yes, headers or even as a data in the POST request.

> Simply, user can accidentally send the link with token in chat, etc.

Yep! Even more - it can be seen in the URL even if the user send a screenshot.

[XCSme]

Are headers/POST data safer in any way against an attacker? Do they get any special treatment while the data is in-transit, as of being usually more often encrypted than the visible request URL?

[justsomehnguy]

There is no defence against an attacker sitting on your wire. But headers and data 99.9% aren't logged or can be seen in a shared link or screenshot.

Just hit F12 in you browser, switch to the Network tab and look what happens when you do the things.

TL;DR: no, but you should be vary of how things are logged and/or shared.

Eg: you see a screenshot with https://bank.com/pay.php?from=17255252&to=6445675665&amount=... URL in the browser...

[XCSme]

Yeah, true, even a security camera pointed at your laptop's screen would have access to GET data and not POST data.