Richard Wackerbarth writes: > Since we consider the user manager to be a part of the MM complex, > what have we gained by hiding the underlying credential from the > web interface? Security. See the OAuth 2.0 spec (RFC 6749) which recommends (at SHOULD level) this practice.