Problem description
There are no passwords in CAMARA API requests. There not even shared secrets like client_id and secret in any Identity and Consent Management flow. In CAMARA client credentials requests MUST use private_key_jwt.

CAMARA follows the OAuth2 principle of separating authentication and authorization decisions from API access.
The API consumer first optains authorization in the form of an access token and then uses that access token in the API request.

The security advice in the section "Good Practices for Securing REST APIs" is not applicable in CAMARA.

There is no "if it becomes absolutely necessary"

Expected action
The following text should be removed

Hashing passwords.

Passwords SHOULD never be transmitted in API bodies; however, if it becomes absolutely necessary, they MUST be hashed to protect the system and minimize potential damage in the event of a compromise. Utilizing strong hashing algorithms is crucial for password security. Effective options include Argon2, PBKDF2, bcrypt, and scrypt, which are designed to securely hash passwords and withstand various attack vectors.

Additional context
OAuth2 Obtaining Authorization