I think both methods would work for simple cases. However, if you want to make maximum use of native HTTP behaviours, you should go with the headers approach, not the URL query parameters one.

This will allow you to (for example) use HTTP response codes to indicate to client that a resource has been permanently moved (response code 301) so the client can automatically update links. If the URL included the authentication information, it is not clear to a client that two different URLs are actually referring to the same resource. In other redirect scenarios, the headers will be automatically included so you don’t have to worry about appending parameters to redirect URLs.

Also, it should allow better caching behaviour on clients (if that is relevant in your scenario).

As another example, using headers would allow you to authenticate a request based just on the headers without requiring the client to send the message body. The idea is that you authenticate with the headers, then send the client an HTTP 100 Continue response. The client should not send the message body until it gets the 100. This could be an important optimisation if you are doing POSTs or PUTs with large message bodies.

There are other examples, but whether any given one is relevant depends on your scenarios and on the clients you expect to serve.

In summary, I would say it is better to make use of elements of the protocol as they were explicitly intended – this gives you the best chance of behaving as a client expects and should make your service more accessible, efficient and usable in the longer term.