When setting up a new custom web service, I understand the process as described in the documentation on here and I can get it working fine, and have done several times for various integrations.
My question is why I can't then authenticate to get my token using POST instead of GET, so that I don't have to spread the credentials around in ISP logs at every hop. I've tried it but I can't seem to get it to work, even though I thought that part of the point of require_param() (which is what the token authentication is using) was that it was meant to abstract whether a parameter was provided in the query string, in the headers, via GET or POST.
Am I missing something?
For reference, this is on Moodle 3.11.7 and 3.9.14