Passing secrets (incl. passwords, keys, etc.) in the URL is a bad practice as URL is usually logged by intermediary proxies, web server logs, etc. so you have your password available for prying admin eyes in many places.

Using headers to pass autorization info is not done on a whim and has sound security reasons. Most public APIs even don't bother to allow passing auth in the URL as it's a long running anti-pattern from Web 1.0 era.

cheers,
</wqw>