[QUESTION] - How does Oauth2 (Bearer token) work when getting access_token?

First check

• I used the GitHub search to find a similar issue and didn’t find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google “How to X in FastAPI” and didn’t find any information.

Description

I will start off by saying I have followed a guide of how to make a secure API using FastAPI (https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/).

What happens is that you will have two api which one is post and get

POST is where you pass the

curl -X POST "http://127.0.0.1:8000/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=&username=hello&password=world&scope=&client_id=&client_secret="

GET is an api that requires the access_token Bearer to be able to access the API etc http://127.0.0.1:8000/getUser

Now I am pretty confused on how safe you can run the application because what makes me confused is that I would need to make a POST request with my username and password to the API which will return me access_token and I believe with that access_token I later on access the next api which is http://127.0.0.1:8000/getUser? Is this the correct way or am I out of scope?

Because what makes me unsafe is that if I now lets say “hardcode” my username and password into a python script and someone manages to reverese engineer the script/exe/whatever (Maybe even see through network what is sending as params/data)- they will be able to access my token in that case. So what would be the suggestion here?