context: reject access tokens passed via URL query parameters (#8177)

docs/api-reference/introduction.mdx

@@ -55,23 +55,11 @@ There are two ways to authenticate through the Gogs API. Requests that require a
     </Warning>
   </Tab>
   <Tab title="Access token">
-    Personal access tokens are the recommended way to authenticate. They can be sent via a request **header** or a **URL query parameter**.
-
-    **Using a header:**
+    Personal access tokens must be sent via the `Authorization` request header.
 
     ```bash
     curl -H "Authorization: token {YOUR_ACCESS_TOKEN}" https://gogs.example.com/api/v1/user/repos
     ```
-
-    **Using a query parameter:**
-
-    ```bash
-    curl https://gogs.example.com/api/v1/user/repos?token={YOUR_ACCESS_TOKEN}
-    ```
-
-    <Tip>
-      Using the `Authorization` header is preferred over the query parameter, as URLs may be logged by proxies and servers.
-    </Tip>
   </Tab>
 </Tabs>
 

docs/api-reference/openapi.json

@@ -5449,12 +5449,6 @@
         "in": "header",
         "name": "Authorization",
         "description": "Personal access token. Use format: token {YOUR_ACCESS_TOKEN}"
-      },
-      "TokenQuery": {
-        "type": "apiKey",
-        "in": "query",
-        "name": "token",
-        "description": "Access token as query parameter"
       }
     },
     "schemas": {