Currently, the access_token (bearer token) is passed to the server as a URL query parameter. This isn't quite best practice as access/bearer tokens end up in the URL which intermediaries can grab.
These tokens instead should be placed in the HTTP header of each call:
Bearer tokens (access tokens) are no longer in the URL as a query parameter, instead they are passed in the HTTP header.
Headers are usable through Swagger in each service
UI does not send access token through URLs (except download in new windoew - pdfs)
inter service communication still working