...
Discussion on issue #39: If you pass the token to be dereferenced, there are implications to where you put it, since it might or might not appear in the access logs and they're bearer tokens. The risk is that the host is sending the AM a requester's bearer token for dereferencing, and if the AM gets hacked, someone other than the real requester could get it and use it. If we switch this request to a GET, the host is already supplying its own host access token in the header, using up the slot that would have protected the requester's access token from being logged. So the only way to protect the requester's token is to use a POST.
Discussion on issue #10 #40: Paul's not crazy about the bearer token profile. It requires things like using POST to protect the token. 
There are three considerations in answering the question:
...