web application – How risky are encoded auth and access token sent as base64 in a GET request

Lately, I have been doing a manual review of a web-application designed using python-flask,polymer js and node.js.

I was able to retrieve both auth and access-token since it was base64 encoded. The application developers say they have not exposed the api-endpoints.

So with the GET request
I can view a json formated file on web-browser in the data section is contained the base64 encoded request which looks like this (after utf-8 HTML decoding looks like)


I tried sending it with a different username instead of demouser i got 302 response. I’m using zap for testing. I want to know what be impact of this vulnerability in such scenario, is there a way i can replay this api get request outside application (logged-in) context. Thanks.