Comment 1 for bug 861854

How should we fix this? Should we hash the token so it goes encrypted over the wire? Should we re-design the validate-token? Would having the token as an http header in the call help?