The issuer may opt to not store password with Apata to maintain a single system of record. If this is the case then a webhook will be configured to receive the password when it is created or updated by the cardholder, or an empty 200 response if the issuer is verifying the password. API Backwards Compatibility: Apata may introduce non-breaking changes to API requests and responses, including the addition of new fields. To ensure continued compatibility, please design API validation logic to tolerate and gracefully handle any extra fields that may be included in the payload.