They absolutely do not and also introduce a significant amount of overhead with respect to key/certificate management.

And security (basic auth is as good as sending clear text passwords).

> sending clear text passwords

Which is totally fine to do over HTTPS.

Passwords need to be sent both with the request, and to the requestor. I think GP is referring to sending credentials to the service making the request.

It is far better to give service XYZ a time-bound and scope limited token to perform a request than a user's username and password.