I'm using a token style authentication process. After the client has obtained a token, it is either set in the client's cookies (for Web) or the authorization headers of the client's requests (for mobile). However, in order to obtain a valid token, the client must first "log in" using an valid username/password combination. My question is this:

Is there any added security by sending the username/password combination in the authorization header vs. as parameters in the JSON body of the request (assuming I'm using HTTPS)?

I only need to send the username/password combination "once" per session in order to obtain the token. Do I gain anything by doing it a la "basic-auth" style?

There's no added security in sending credentials in the Authorization header vs. a JSON body. The advantage in using the Authorization header is that you leverage on the standardized HTTP semantics, and you don't have to document exactly what clients should do. You can simply point them to the RFCs.

If you're concerned about being really RESTful, I'd say using the Authorization header instead of rolling your own method is a must.