It depends on whether you are using a REST endpoint over HTTP or HTTPS. In the lather, the transport layer is secured. Hence, the username and password will be sent encrypted. However, anyone having access to the model will have access to these credentials. There are more secure ways for handling REST calls. Please have a look at https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#HTTPS
You would normally specify a constant value for the password. Its default value would be the password of you dev/test server, with a value that all of the developers are allowed to know.
The production password is stored in the constant value in the cloud portal.