That header was invented for this exact purpose before cookies were invented. It has wide browser support and semantics that make sense. Moreover, the design specifically includes provisions for additional auth mechanisms (basic and digest being the two most widely used). The downside was that the UI for setting that header was ugly.

Your comments remind me of the people who didn’t get HTTP verbs and wanted to use POST for everything before rediscovering REST.

> and semantics that make sense

A paradise for CSRF.

> Your comments remind me of the people who didn’t get HTTP verbs and wanted to use POST for everything before rediscovering REST.

REST is not about HTTP methods if you read the paper. It's curious you have a direct map between HTTP methods and REST verbs as your mental model.