When it comes to passing a username and password from a client to a web API, security is of utmost importance. Follow these best practices to ensure the sensitive information is transmitted securely:

1. Use HTTPS: Always use HTTPS protocol to encrypt the data during transmission, preventing it from being intercepted by malicious actors.
2. Hash Passwords: Instead of sending plain text passwords, hash them using secure algorithms like bcrypt before sending them to the API.
3. Token-Based Authentication: Implement token-based authentication mechanisms like JWT (JSON Web Tokens) to securely authenticate users without exposing their passwords.
4. SSL/TLS Certificates: Ensure that the web API server has a valid SSL/TLS certificate to establish a secure connection with the client.
5. Implement Rate Limiting: To prevent brute force attacks, implement rate limiting mechanisms to restrict the number of login attempts within a specific time frame.

By following these security measures, you can pass usernames and passwords from clients to web APIs safely and protect sensitive information from unauthorized access.