That completely depends on how the token is being passed. Can you provide sample request/response data, including headers, for the POST and GET requests? In general a token (such as a security token) is passed as part of the headers. Therefore you'd need to access the request's headers if you are being called by the WF app. If you are calling the WF app and it is returning a response then you'd need to go to the response headers instead.
The Form
fields are only available if the data is being passed as part of the body. For a POST this is possible but GET requests won't have a body.