REST Authorization: Username/Password in Authorization Header vs JSON body
There's no added security in sending credentials in the Authorization
header vs. a JSON body. The advantage in using the Authorization
header is that you leverage on the standardized HTTP semantics, and you don't have to document exactly what clients should do. You can simply point them to the RFCs.
If you're concerned about being really RESTful, I'd say using the Authorization
header instead of rolling your own method is a must.