any request is made via HTTPS and the token is transmitted the following ways:

a) GET https://foo.dom/foobar?auth_token=abcxyz

b) GET https://foo.dom/foobar with HTTP-header like X-FOOBAR-TOKEN: abcxyz

As I understand SSL, in case of an HTTP request the client first negotiates the SSL connection and does only transmit additional parameters and/or HTTP headers in case the secure connection was established successfully.

Am I right so far?

Thx fur any suggestion. Felix

SSL buys you encryption of the transport so no one can snag the auth token while it is being sent/to from the site. There are some man-in-the-middle attacks that can be performed against SSL but generally SSL should protect the token content.

What makes or breaks the security is whether or not the Token it-self is cryptographically secure. If that can be said to be true then your are golden. Check out this site http://web.mit.edu/kerberos/dialogue.html.

There are plenty of other sites that use secrue tokens for auth, see: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html.