It’s better to use the authorization header instead of or in addition to client-id whenever you can. If you don’t have a user authorization, use an app authorization token.
Helix (to my knowledge) does not support passing either of these via URL parameters.