The RFC says whitespace in the Authorization header is optional. The temporary-delimiter approach here was fragile anyway, and only worked by dumb luck ('&' as the RHS, unescaped, replaced the match with itself).
Names should look like they look in the official API documentation. And there should be one obviously correct way to specify params, now that we can encode them properly.
…tarlet Version 1 was only deprecated, what, months ago? And HTTP more recently.