rest - Issues calling RESTful Glassfish Java web service with jQuery ajax -

xss/cors allowed apache web server , can make calls using query string parameters.

the restful service i'm told uses oauth.

the call restful web service trivial fiddler via composer , returns valid json data. set 1 authorization header requests totally different when sent in fiddler composer versus setting header in ajax.

i've tried , without accept , access-control-allow-origin headers.

this request header fiddler after executing request in composer.

get {/trailing server url} http/1.1 cookies / login     authorization: bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx transport     host: {server url} 

and ajax request

$(function () {     var token = "bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";      $.ajax({         url: url,         datatype: "json",         headers: {             "access-control-allow-origin": "*", accept: "application/json", authorization: token         }         //,         //beforesend: function (jqxhr) {         //jqxhr.setrequestheader("access-control-allow-origin", "*");         //jqxhr.setrequestheader("accept", "application/json");         //jqxhr.setrequestheader("authorization", token);         //}     })         .success(function (data) {             console.log("success");         })         .fail(function (jqxhr, textstatus, error) {             console.log("error - textstatus = " + textstatus + " , error = " + error);         }); }); 

this http request headers captured via fiddler ajax browser request

options {trailing server url} http/1.1 client     accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8     accept-encoding: gzip, deflate     accept-language: en-us,en;q=0.5     user-agent: mozilla/5.0 (windows nt 6.1; wow64; rv:20.0) gecko/20100101 firefox/20.0 cookies / login     dnt: 1 miscellaneous     access-control-request-headers: access-control-allow-origin,authorization     access-control-request-method:     origin: {local machine url} transport     connection: keep-alive     host: {server url} 

why ajax request header display 'options' instead of 'get' fiddler composer header?

why fiddler composer header show authorization: bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx value under cookies / login section?

i'm hearing shouldn't keeping token in javascript code because can viewed in browser (in reality, token not hard coded passed variable). how else pass token , keep secure?