You're both talking about web authentication, not HTTP authentication. cf. https://news.ycombinator.com/item?id=45399594
Only to obtain the token, the actual connection itself uses HTTP authentication (Bearer scheme).
Only to obtain the token, the actual connection itself uses HTTP authentication (Bearer scheme).