diff --git a/lib/oauth2.js b/lib/oauth2.js
index 7aec9eb..34f0542 100644
--- a/lib/oauth2.js
+++ b/lib/oauth2.js
@@ -67,7 +67,7 @@ exports.OAuth2.prototype._request= function(method, url, headers, post_body, acc
   realHeaders['Host']= parsedUrl.host;
 
   realHeaders['Content-Length']= post_body ? Buffer.byteLength(post_body) : 0;
-  if( access_token ) {
+  if( access_token && !('Authorization' in headers)) {
     if( ! parsedUrl.query ) parsedUrl.query= {};
     parsedUrl.query[this._accessTokenName]= access_token;
   }
diff --git a/tests/oauth2.js b/tests/oauth2.js
index 2afa29c..3db23c3 100644
--- a/tests/oauth2.js
+++ b/tests/oauth2.js
@@ -1,7 +1,8 @@
 var vows = require('vows'),
     assert = require('assert'),
     https = require('https'),
-    OAuth2= require('../lib/oauth2').OAuth2;
+    OAuth2= require('../lib/oauth2').OAuth2,
+    url = require('url');
 
 vows.describe('OAuth2').addBatch({
     'Given an OAuth2 instance with clientId and clientSecret, ': {
@@ -16,6 +17,16 @@ vows.describe('OAuth2').addBatch({
               assert.equal( refresh_token, "refresh");
             });
         },
+        'we should not include access token in both querystring and headers': function (oa) {
+            oa._request = new OAuth2("clientId", "clientSecret")._request.bind(oa);
+            oa._executeRequest= function( http_library, options, post_body, callback) {
+              callback(null, url.parse(options.path, true).query, options.headers);
+            };
+            oa.get("/userinfo", 'access', function(error, query, headers) {
+              assert.ok( !('access_token' in query), "access_token not in query");
+              assert.ok( 'Authorization' in headers, "Authorization in headers");
+            });
+        },
         'we should correctly extract the token if received as a JSON literal': function (oa) {
           oa._request= function(method, url, headers, post_body, access_token, callback) {
             callback(null, '{"access_token":"access","refresh_token":"refresh"}');