diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index 27cd9a0f2..e64572ab0 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -207,6 +207,11 @@ support:
 1. Via a query string parameter, ``access_token=TheTokenHere``.
 #. Via a request header, ``Authorization: Bearer TheTokenHere``.
 
+Clients are encouraged to use the ``Authorization`` header where possible
+to prevent the access token being leaked in access/HTTP logs. The query
+string should only be used in cases where the ``Authorization`` header is
+unaccessible for the client.
+
 When credentials are required but missing or invalid, the HTTP call will
 return with a status of 401 and the error code, ``M_MISSING_TOKEN`` or
 ``M_UNKNOWN_TOKEN`` respectively.