docs: remove query parameter token authentication

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/api-reference/introduction.mdx

@@ -55,23 +55,11 @@ There are two ways to authenticate through the Gogs API. Requests that require a
     </Warning>
   </Tab>
   <Tab title="Access token">
-    Personal access tokens are the recommended way to authenticate. They can be sent via a request **header** or a **URL query parameter**.
-
-    **Using a header:**
+    Personal access tokens must be sent via the `Authorization` request header.
 
     ```bash
     curl -H "Authorization: token {YOUR_ACCESS_TOKEN}" https://gogs.example.com/api/v1/user/repos
     ```
-
-    **Using a query parameter:**
-
-    ```bash
-    curl https://gogs.example.com/api/v1/user/repos?token={YOUR_ACCESS_TOKEN}
-    ```
-
-    <Tip>
-      Using the `Authorization` header is preferred over the query parameter, as URLs may be logged by proxies and servers.
-    </Tip>
   </Tab>
 </Tabs>
 

docs/api-reference/openapi.json

@@ -5449,12 +5449,6 @@
         "in": "header",
         "name": "Authorization",
         "description": "Personal access token. Use format: token {YOUR_ACCESS_TOKEN}"
-      },
-      "TokenQuery": {
-        "type": "apiKey",
-        "in": "query",
-        "name": "token",
-        "description": "Access token as query parameter"
       }
     },
     "schemas": {

internal/context/auth.go

@@ -148,7 +148,7 @@ func authenticatedUserID(store AuthStore, c *macaron.Context, sess session.Store
 	if isAPIPath(c.Req.URL.Path) {
 		var tokenSHA string
 		auHead := c.Req.Header.Get("Authorization")
-		if len(auHead) > 0 {
+		if auHead != "" {
 			auths := strings.Fields(auHead)
 			if len(auths) == 2 && auths[0] == "token" {
 				tokenSHA = auths[1]