When querying prismic the secret is in the query string.
https://....cdn.prismic.io/api/v2/documents/search?page=1&pageSize=1&access_token=SECRET&ref=...&q=...
The query string is not sent as clear text over internet but it tends to end up in logs which is not good.
Is it possible to send the secret in the body?
Hi,
I’m Amaury from the dev-team.
Prismic currently handles secrets via query string (as you did) and as Authorization Header with the format “Bearer SECRET”.
Are there any plans to change this?
Not to remove the present autentication procedure; but to add functionality to make the secret less conspicuous.
Having the secrets stuck in logs (firewalls, routers, load balancers and web browsers) is, security wise not a good idea.
If I get hold of the query string I can copy it to any machine and read the result.
There are no plans to change this at the moment.
I agree this would be very useful.
I will add it as feature request for the team to consider.
This is being tracked as an open feature request.
If you have another use-case for this feature, you can 'Flag' this topic to reopen. Please use the 
button to show your support for the feature and check out our Feature Request Guidelines.