Actually the key confusing difference here is the content type of the request. While uploading a file, the content-type is
multipart/form-data. That’s why we use the
-F flag instead of
-d. If you try to put the token in the body with an additional
-F flag, you’ll see the server’s clear response:
"error_description": "When putting the token in the body, content type must be application/x-www-form-urlencoded."
Which means you can either put it in the query string (weird exception to the good general rules @Dave mentioned), or, even better, in an authorization header as @gruvin suggested. It will work either way. From the authentication section of the docs:
There are three ways to send your access token in a request.
- In an HTTP Authorization header (always works)
- In the URL query string (only works with GET requests)
- In the request body (only works for POST & PUT when body is URL-encoded)
When we’re uploading files to flash to a Core, the body is not URL-encoded.
In general, even though most internet users never see HTTP headers (so headers feel confusing to novice web coders), I’d recommend everyone get in the habit of just always sending tokens that way, since it always works. FTW:
curl -H "Authorization: Bearer MY_TOKEN_HERE" https://api.spark.io/v1/devices
Hope that helps @Peli!