Is it accurate to assume that user's information , including username and password, are kept private whenever we use token based authentication?
Token based Authentication
Great question. Let's discuss … So the operative in your question is the concept of "assuming" that something is kept secure, in your case, the user's name and password.
The way Token based authentication works, it should provide security for the user's information IF (big IF) nothing were to go wrong, and / or nobody was able to hijack or break the system in any one of several ways that could lead to compromise.
My point being that while the system is designed to provide a measure or protection, it is never absolute, and rather than assume, we should trust but verify that the system is operating as designed and implemented to ensure maximum protection.
I hope that helps.