[paulgb]

For better or worse, basic auth in the URL isn't really an option any more, (e.g. see https://stackoverflow.com/a/57193064). I think the issue was that it reveals the secret to anyone who can see the URL bar, but the alternative we got still has that problem and also has the problem that the secret is no longer separable from the resource identifier.

[thayne]

The browser could hide the secret after it is entered.

[paulgb]

Yeah, and it would still be useful for queries that never appear in the URL bar (like EventSource and WebSocket, where setting an Authorization header is not something that’s exposed by the browser)