By default, config/initializers/filter_parameter_logging.rb will filter the password

Rails.application.config.filter_parameters += [:password]

So, the logs would filter out the password and never be displayed in the logs. Whenever communicating with API, especially sending the password, you should always encrypt the communication with SSL. This is really no different than sending a POST request to a web login session. Unless the form is posted to an endpoint over SSL, the password would also be sent over plaintext.

Great questions!