I'm writing a
Security wise, doesn't really matter how you send it, as long as it doesn't contain sensitive information (e.g password) because it's not encrypted, it's encoded and token can be decoded very easily.
Even if someone (hacker, user etc) alters the token, server will verify and notice that (if you've set up verification correctly) and you can deny access to page, media, data or whatever your user requests.
Important! Use SSL! Otherwise hacker can steal the token from its owner and use it himself, server only checks if it's valid and not altered, not where it came from. Read more: man-in-the-middle attack
How you do it, is totally up to you and your project, however I would personally send it via header.