These extensions transport messages over TCP, as specified in [RFC793], and do not pass any specific parameters to the transport. Transport-layer security MUST be used to secure the security tokens. These extensions use HTTPS, as specified in [RFC2818], to do so.
Messages sent using these extensions are not encoded by Open-Data, as specified in [MS-ODATA], and use the default character set defined by the client or the server.
Security tokens are JWTs and are sent using HTTP Authorization headers, as specified in [IETFDRAFT-JWT]. HTTP Authorization headers are specified in [RFC2617].