So I have a frontend and a backend (api only) application, and I am currently implementing the ability for administrators to impersonate a client, and access the entire client portal.
How I planned on doing this was sending the id of the desired client across to the server, and doing some validation to ensure the user is allowed to impersonate.
My problem is I'm unsure how I should be sending this information. My thought was sending the value in a custom header, but I'm not sure this is the proper use case for a custom header. Would it be better send as a query parameter to the API?