By now, the services should work fine and anyone can query the details of our products. This may be a problem. The details of the products are not necessarily public information. We have to ensure that we only serve the data to partners who are eligible to see it.
To ensure that, we need something in the request that proves that the request comes from a partner. This information is typically a password or some other secret. It could be placed into the GET request parameters or into the HTTP request header. It is better to put it into the header because the information is secret and not to be seen by anybody.
The GET parameters are a part of the URL, and the browser history remembers that. It is also very easy to enter this information into the browser location window, copy/paste it, and send it over a chat channel or over email. This way, a user of the application...