Security: contains_valid_token

[alexcouper]

For now this is fine, but we should remember that this is subject to a man in the middle attack because the headers can be reused to make subsequent requests "as" the original client.

[txels]

Good point. Well, this should be secure enough under HTTPS (same premise as HTTP basic authentication).

Do you have any specific idea in mind for a more secure approach?

[alexcouper]

Possibly S3-style signing of requests?

But you're right about https - that should take care of it.