This was previously answered here, and they suggest making a custom controller if you really want to send passwords in an API response:
This was previously answered here, and they suggest making a custom controller if you really want to send passwords in an API response: