From what I can tell, all the authentication methods, except cookie authentication, recommended on http://v2.wp-api.org/guide/authentication/ use the "Authorization" header.
The "Authentcation" header isn't reliably received on all server configurations (see WP-API/Basic-Auth#1, WP-API/Basic-Auth#35, and https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/, see the section on "PHP HTTP Authorization Header enable"). The typical workaround seems to require changing your .htaccess file (although that of course only applies to Apache setups; I'm not sure what nginx setups need to do)

On basic auth plugin, there was this suggestion on an even-less-secure way to pass the username and password: WP-API/Basic-Auth#13. Yuck. But the querystring and request body are more reliable. Or maybe we should just use a different http header for storing authentication data?Thoughts on this?