o Use token header for authenticated requests. Closes #3910.