Credentials are verified server-side via the legacy service, without sending the password in the query string.