So in the documentation it mentions that I need to pass the user's plaintext password if my is service acting on behalf of that user. Is that correct? If so, that's terribly insecure. I should not ever know my users' Droneshare password plaintext or otherwise. You should implement an OAuth 2.0 workflow as soon as possible. Until then I just can't use DroneKit Cloud in my service.