Comment 5 for bug 861854

I agree with Robin's solution and logic:

The use case here is to validate the token, so my suggestion is to replace the operation to validate a token from GET /tokens/<id> to POST /tokens/validate with a body that includes the token ID and tenant:

POST /tokens/validate
{
    "token": {
      "id": "asdasdasd-adsasdads-asdasdasd-adsadsasd",
     "tenantId": "1234"
}

That way the id will be encrypted for clients using SSL and not show up in the log.

We should add this as an additional call and not break the old one until we have verified clients are not using it. It should also be documented as the recommended call and the old call should be clearly marked as an insecure call.