@oddz Thanks for your reply.
What I’m thinking is, if the Service class has no validation or any checking of $credentials parameter, then when it’s packed as a library somebody can misuse it by sending credentials without username. What do you think?