From:
FAQ: How does ArcGIS Server token authentication work?
https://support.esri.com/en/technical-article/000011851
All Esri clients and APIs send usernames and passwords over https (encrypted) if it is enabled. If it's not enabled, then usernames/passwords may be sent as clear text over the network. To prevent this, it is strongly recommended that https be enabled in ArcGIS Server when using GIS-tier authentication. It is not enabled by default.
Tokens can be acquired through either an HTTP GET or an HTTP POST. Using a POST is always more secure. GET requests may leave usernames/passwords in network equipment history and in the browser history. Esri APIs and products use POST when acquiring tokens. However for the convenience of people writing scripts, tokens can be acquired via GET requests. Esri recommends against obtaining tokens via GET requests in secure environments.