Credentials can be configured in the URL (see
SONAR-9896), for example http://login:password@server. When payload is sent, the credentials are removed from the URL and sent through the HTTP header authorization.
The URL stored with the delivery and available through api/webhook web services should be the effective URL, not the configured URL. The credentials should not be part of the URL persisted with deliveries.
Someday we could store the effective HTTP headers too, like GitHub, but it's not planned yet.