The following document shows that the api_token need to pass through query string, however, query string isn’t encrypted even using https connection, hence, it exposed to MITM attack.
I would like to check is there any option to use the api_token in the HTTP headers?
Thanks
Hello, @jerry.ho and welcome to the community! 
We do not have an option of supplying the api_token inside the header. In this case, we suggest using OAuth instead 
Sincerely,
Helena
The OAuth seems like available for marketplace developer only? How do i use it for my own account only?