I have used NetMon to monitor the traffic between my application (on my laptop) and the Windows Server hosting QVServer and the QMS that responds to the QMSAPI calls.
It appears that as part of the HTTP Post that is done as part of the QMSAPI Call to GetServerDocList on the host, there is first a behind the scenes NTLM challenge/response.
The Login name under which the app is running (in my case the Windows Desktop login, but if the app were a service then it would be the login property associated with the service) is sent to the host, the host sends back a string that needs to be hashed using the password associated with the login, the hashing is done, the response sent to the host, the host sendw the same string off to be hashed using the password ON THE HOST that is associated with the login name that was sent. If both hash values match … the NTLM process generates a SessionID that is returned to the app and the app resends the post using the SessionID and the host that accepts the request and satisfies it.
All this NTML stuff happens "behind the scenes".
The App is not involved in password lookup, hashing etc.