API User and password in Header

look, the ideal is you do something in the style of OAuth.

Leave a Url for authentication, this Url should expect a Body with Usuario and Senha, the return of this section should be a Token. This Token must be unique for each successful authentication, it must be linked to the User.

For security reasons, I advise that the Token be stored as a 64 byte array in the database, and it should be generated through a strong algorithm, follow an example in C# (although you have not specified a language for the BackEnd).

var token = new byte[64];
var random = RandomNumberGenerator.Create();
random.GetBytes(token);

Thus, even if you have two users logged in using the same Usuario, you will be able to distinguish the two through the Token.

And of course, what will traffic in the header is the Base64 representation of this Token.

Finally, another safety tip, use the same generation strategy as the Token for the generation of Salt when registering the password, but once, follow an example in C#.

var password = "Minha@Senha$1234"
var salt = new byte[16];
var random = RandomNumberGenerator.Create();
random.GetBytes(salt);

var pepper = salt.Sum(x => x);
var encrypted = KeyDerivation.Pbkdf2(password, salt, KeyDerivationPrf.HMACSHA512, 8000 + pepper, 64);

It’s safe but it’s not the practice. In all API’s I know (CIELO, Google and Unlisted Images) without exception the authentication is through a key which is generated from a Guid, where it can be either sent by Header or in the request URL, but in all recommendations it is through Header.

Follow the example of CIELO that asks merchantID and merchantKey within Header only.