The reason is that the login token is already sent to the browser and held in localStorage. So it shouldn’t be any issue if you put it in the URL as well. I know in PHP you can run the whole session by putting the login token in the URL.
It could make accidentally sharing it a problem. I’m not aware of any solution that I’d swear by, but you could use a temporary one time use token, and some communication between the servers to validate that token, and then transfer the user token server to server. To avoid a URL that that user could grab you could post that temporary one use token to the new server, instead of linking a static link.
I can’t swear this is a good architecture, as I’d have to think it through more.
It would be a security risk in case someone is snooping the wi-fi connection and knows that you are exposing the the loginToken on the URL. Additionally, that URL can be used multiple times.
The right solution here would be to create a document that holds the token inside of it, and to write a Method that a) checks for the document and returns the loginToken embedded with-in it and b) removes that document.