No you normally do not send the password to the server. You can ask the user to enter the password when the application is openend.

Authentication is much easier when you use the GraphQL replication. There you are much more flexible on which data you return depending on which user is asking for it.