Add support for using client secret as auth when verifying an exchange token

[fisher60]

Summary

Currently we require the developer application to exchange their refresh token for an AbandonAuth JWT access token. This access token is sent as header auth when verifying an exchange token.

A more standard way to do this is to exchange the token in a post request where the developer application provides its application ID and client secret in the body, rather than header auth.

We can add support for this type of auth and also maintain the existing header auth. The header auth should be safer/more secure as it utilizes a shorter-lived access token and limits the exposure of the permanent client secret. We can make it optional if users wish to use the client secret as auth in the request body or would prefer the slightly more secure method of using an access token in the headers.

Acceptance Criteria

1. A new method to authorize exists for this function that allows the user to provide their client secret and application ID in the body of the post request instead of as an authorization header.
2. The existing header auth is also allowed for authorization instead of the post request body