As documented in the live API documentation available here: https://demo.openmf.org/api-docs/apiLive.htm#authentication
Clients must send username and password as URL params of the API endpoint
This could cause issues with credentials leakage if the platform is deployed in an environment where there is server-side URL logging. Access to those logs would expose passwords.
Proposed solution is to alternatively allow sending username and password as request body or as a header.
Something similar happens with the OAuth endpoint:
Alternatively, allow credentials to be sent as part of the request payload. It would be less prone to leakage in case there is server-side URL logging.
For the /authentication endpoint it might make sense as well to support the standard Basic Http Auth header already base64-encoded.