I believe the answer to my question is currently “no” because according to this post parameters are not accepted in the url - only in the headers. Can someone correct me if I am mistaken?
You are correct that your scenario is not workable.
To create a session, you must POST to user/session with a POST payload that includes the user’s email and password
OK, no worries and with thanks. And then even if we have POSTed to get the session token we still cannot use a URL only because the params need to be in the header too right?
You can pass the api key and session token in the URL as parameters rather than headers.
ex:http://myurl/api/v2/db/_table/todo?api_key=myapikey&session_token=mysessiontoken
Thanks Drew, you are right, and I tested it. After the session token is generated, a heck of lot of data can be consumed in http without the need for posting headers. So as a simple url does the trick in most cases.