I have always wondered how feasible it would be to use the basic auth URL syntax for thinks like API tokens and email validation. Ideally these values would not be logged but if you want a user to click them they basically need to be in the URL. So either you don't log URLs or you need to redact all of these parameters. Most systems are smart enough to avoid logging passwords so if you could just use URLs like randomtoken@example.com/confirm-email. However it seems like browsers usually put up scary warnings and most email providers will consider this a spammy/scammy pattern.
Of course another problem here is that you just want it for one URL, whereas basic auth is usually preserved for the session.
Of course another problem here is that you just want it for one URL, whereas basic auth is usually preserved for the session.