"Who am I", "which users/accounts may I access", and "which user/account do I want to access right now" are different questions, and it's only the latter that belongs in the URL. I agree that secrets in particular must not be exposed in the URL.