Passwords need to be sent both with the request, and to the requestor. I think GP is referring to sending credentials to the service making the request.
It is far better to give service XYZ a time-bound and scope limited token to perform a request than a user's username and password.
It is far better to give service XYZ a time-bound and scope limited token to perform a request than a user's username and password.