Header-based bearer auth is already supported in API version 3, exactly as you describe. You must still pass the user ID as a GET parameter though.
The advantage of this approach is that you are not including secret information in the URL, where it could be logged in server access logs. Version 4, when it is out, will continue to have this feature.
with regards