...
Security of password authentication
The password is a bearer token, so the client must guard it from disclosure.
The most common attacks against password authentication are phishing, guessing,and reuse.
- An API client will not normally be susceptible to phishing.
- If the password is sufficiently long (e.g. 128 bits) it will not be guessable.
- The password is valid only for the specific client to the specific service. It cannot be reused for to service.
Security of JWT authentication
...
The JWT is a bearer token, so the client must guard it from disclosure.
...