After creating a test application, I noticed that part of the examples given use plain HTTP connections. The “Getting an access token for your API” section is fine and uses HTTPS. However, the “Sending the token API” section shows for all clients, sending your bearer token over an HTTP connection.
People should hopefully notice this when they go to interact with their applications, but it still seemed like a bad default that I could see people copy/pasting an example and just changing the URL and token portions.
I would suggest that the examples be changed to use HTTPS connections.