When an external system makes a call to a Salesforce Rest API, to get the auth token, you call the oauth2/token api with username-password authentication flow takes the credentials in plain text. This raises security concerns.

Looks like there’s no alternative other than passing username & password and clientId & secrete as plain text in the username-password authentication flow.

grant_type=password&client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82Hn
FVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=
1955279925675241571&username=testuser%40salesforce.com&password=mypassword123456

I’ve raised an idea to enable a way to securely send the clientId & secret and the username & password. Please vote for this idea at https://success.salesforce.com/ideaView?id=0873A000000EA5yQAG.

If you have other solutions for this, please share it here.