I’m not actually suggested anything be un-encrypted. I’m just saying we manage keys on the server not the client. Tls secures the password transaction, then the server issues the client a key and everything works as s@ suggests. If the keys expire or the client loses them, you repeat the login process.