I have turned out that there are still a few features to need developing to publish these APIs to web apps.

This time i encupsuled user's one setting value and added the password auth.

Authorization flow has many considerations, even if you doesn't have "server", hasn't it?

low time preference!