auth token is seemingly in http querystring, even when using `usePost(True)`

When using `.publish` and `.usePost(True)` we are still getting auth details in the querystring.  It would seem this isn't appropriate.  With minimal middleware from FastApi, this can lead to logging of (what I believe, but I could be wrong) auth tokens in the querystring.  We'd like the use of post to post this sensitive information.