When calling an external API with Python's "requests" package, I have the choice of using basic auth or passing a token in the headers. I assume the headers can be seen by anyone sniffing the connection and basic auth is easy to decode, but I don't think auth can be seen via sniffing. Does anyone know for sure? Am I missing anything obvious from a security standpoint?
Also, I assume this is a non-issue if using https (i.e.: It only matters when the connection is not encrypted). Is that a good assumption?
I tried both methods and they both work, but I want to use the most secure method that works with the API (this is a vendor API so we don't own the code).