Displaying the password on a filtered request

That’s odd, because in the User content type the password attribute is marked as private (source) :face_with_raised_eyebrow:

I didn’t try the myself, but maybe adding “password” to the list of privateAttributes in /config/api.js could help? See doc: