API method /api/session/password_reset_token_valid

I have a question about the "token" parameter sent in the API GET method /api/session/password_reset_token_valid. Is it not a "secret" parameter? Why is this parameter sent by the GET method in the URL request?

Docs: metabase/session.md at master · metabase/metabase · GitHub

Hi @kajbon
It's also send in a GET request of users clicking the link in the email they've received, so it wouldn't make it much difference to change the API request.