This depends on the token expiration. If the token is valid for say minutes or an hour, you can include it as a client-safe header for the second call. If the token nevee expires obtain it and then manually save it as a private header parameter on the call.
We’ll enable native OAuth support soon, it looks like it’s needed. This will make the process transparent and secure, since it will be handled by our server.