If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you’d see that they all have HTTPS endpoints.
The ways in which you can pass an access token to the provider are –
i) As Query Parameter –
https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN
ii) In the request header –
GET /api/users/123/profile HTTP/1.1
Host: yourwebsite.com
Date: Tue, 14 May 2013 12:00:00 GMT
Authorization: <YOUR_ACCESS_TOKEN>
These two are approaches that are generally supported by most APIs. You can think of doing the same.
iii) Pocket API does not use GET at all. They use POST for all their requests, even for retrieving data. Check this link to see their documentation. Notice that they use POST for retrieving data and pass JSON parameters.