You will not be able to retrieve the user's password. Mendix does not allow this for security reasons and rightfully so. So that path is a dead end and certain to fail.
Since you have two Mendix apps and a user with the same uid/pwd, then the prettiest option is to use SingleSignOn, but if not already available, it will be out-of-scope for this one usecase.
Instead of uid/pwd you can use ‘active session’. See https://docs.mendix.com/refguide7/published-rest-service#authentication.
Use a webservice user instead of the current user.
Usually, this is no problem, as you have system to system API calls, and you can just secure them with user names and long and complex passwords (or client certificates, IP ranges etc). If you require a user, you can simply add a user name as a request parameter. You can then either execute a microflow as a user, or constrain data retrieval by an account object with a matching user name. This is by far the easiest solution.
I have built a system where a user would use an API to retrieve data, but the user would have to be known. Furthermore, since these API calls were done from a React application (i.e. pure JavaScript, no Mendix). For this, I used WebFlgihts JWT module. Using this module, I was able to create unalterable tokens, with a limited validity which contained the user name and send them to a React app. The API's I exposed required no authentication, but would check for this JWT in the header, validate the JWT, extract the user and run a microflow as that user, using entity access, to retrieve the data that user had access to.
Effectively, the second implementation accomplishes the same as the first, but it's more complex.