We are not aware of your API funcionality. So,There may be a case in which your application need original request data to perform some process in stateless environment. I mean, sender or requester don't want to hold on request message untill it get processed and come back in your API.
But exposing username and password like this is highly unlikely.
Even your production runs on https, It doesn't mean it can't be tampered. If you are using (exchanging) SSL certificates at both client and server end then it's fine. There is one more option in https at server side, "without client authentication". In this type of transport a self signed certificate is used by client to send and receive http request and response. This can be tampered.
So make sure that you are exchanging SSL certificate. If your client is vey concerned about security.
And there is no need to send password astleast. For one time, you can send username but sending password like this will be blunder for the securit of your application.