I do not want to show username/password openly.

Define "openly".

If you need the user's web browser to retrieve the password-protected content from the password-protected site, then the user's web browser has to have the username and password, so ipso facto the user has the ability to see it as well.

There are various cheap tricks you can pull to (try to) conceal this fact from users who don't understand computer networks very well, but fundamentally the information will be _available_ to the user, and any user who knows the difference between an HTTP header and a document head element is going to be able to figure it out. If that's good enough for your purposes, say so, because otherwise most people on here are going to assume it's probably not.

If you need the user to see the password-protected content but _not_ be able to see the username and password, then the content needs to be retrieved from the password-protected server not by the user's web browser but by a system beyond the user's control, such as your website.