question 1, encapsulate token in head
question 2, multiple login, just add a app-type field to the token table. A terminal, a token does not affect each other

• 1. if OAuth2, uses Header to pass token, it belongs to the specification. There is an Authorization header in Header dedicated to storing authentication information
• 1. every time you log in, a new Token, is generated and the old token does not immediately expire (depending on the expiration time set when the token is generated)

reference:

• OAuth2

there are no special benefits, personal habits.
multiple logins, which only requires that a user can have multiple token

there is no rule that you can't use post,. access_token it would be more convenient to put it in Header .
if you use POST, are all API requests POST methods?

to achieve multi-side login, you can correspond to multiple access_token per user, and then add a field to the access_token table to distinguish different login devices.

as long as you request another token, this token corresponds to the user's identity. When processing at the backend, you can get this token, to obtain user information according to token, just as the principles of session and cookie, are the same!

token is generated, it needs to be brought with each request.
but no one stipulates that all requests use the post method. For example, RESTFul, uses different methods for different scenarios. Without header, it is troublesome for both the client and the server to process.

but this is not absolute. When doing mobile Internet in the early years, mobile gateways in some areas often used Filter or rewrote header, which would bring some trouble. If you really encounter this situation, you have to think of other ways.