836 WHIP endpoints and sessions could perform the authentication and
837 authorization by encoding an authentication token within the URLs for
838 the WHIP endpoints or sessions instead. In case the WHIP client is
839 not configured to use a bearer token, the HTTP Authorization header
840 field must not be sent in any request.
Is there a reason normative language is not used here?
Is there a reason normative language is not used here?