In the spec (http://tools.ietf.org/html/rfc6750#section-2.2) it says that when you access the protected resource by including the token in the body (rather than the headers) you should only be able to do this through a PUT request, not GET. Also, there's a few other things. I'm able to do this:

response = requests.get(token_url,params={'grant_type':'client_credentials','client_id': client_id, 'client_secret': client_secret})
token = json.loads(response.text)
response = requests.get(api_url,params=token,headers={})

The important part being that I am putting the token in the body and issuing a GET request. Isn't this against the spec and shouldn't it fail?