So we optionally allow apps to use HTTP Basic auth instead of an "Authorization: Bearer ..." header.