In most cases, security is sufficient, minus logging.
Your server must have the password in plain text at some point, whether it is a connection or a connection. In this case, the user transmits his password to the API via an HTTPS POST request, the server checks the password against a hashed and salted value. password with lots of salt turns using bcrypt and ideally generate a JWT after authentication. It is impossible for a third party (or you) to access the password. The transfer is made safely over the Internet and then it has not left your secure server (unless you connect it). Be diligent with the newspapers; make sure that no PPIs, including passwords, are registered (some companies do it and that makes me really crazy).
Passwords are hashed, as opposed to encrypted, in general and with bcrypt (though, depending on how deep you want to dive, you can say that bcrypt uses encryption, but not for the reason you believe). Always refer to "hashed" passwords because encryption refers to something completely different.
Assuming the server is securely hosted (if you are using a third-party container service, this is probably true)
Assuming that the password is assigned to the API via HTTPS and can not be intercepted during transit. Depending on the application, you may want to go up to the identification of certificates to avoid MITM attacks via HTTPS.
By using bcrypt, you have already done your part to securely store the passwords – high of five -.