Yes, i think directly passing cookies in header is a secure option. But it gets directly passed into a separate header called cookie and not Authorization as far as I am aware. I will try to explore if we can pass it directly into Authorization. Thank you for the suggestion.