Yep. A few years ago I used my credentials in some in-house back-office app that a coworker wrote. Later I was able to see my http calls in the company-wide logging system, with my username and password 'hidden' in a jwt.