I have a private repo and I can see that the first request I send requires me to include a valid access token. However, the NextPage Url doesn't include any access token (as I would expect) but it still gets authenticated correctly and returns the results.
I am wondering how this is achieved? I check the Headers that come back from the response and it doesn't appear to contain anything that would allow for these unauthenticated GET requests to occur.
Thanks for posting! This is an interesting question, and I don't have an answer off the top of my head. What tech are you using exactly? Could you send a GitHub Gist of the code that sends the request?