Authenticator vs credential in CBLReplication

I’m looking at some code where the ‘credential’ property was used to send the user name and password. The issue I’m looking at is the getting 401 errors from the replicator so I was looking at where the authentication is done. Since I’m new to CBL I checked the documentation and now I’m not sure why the credential property was used vs the authenticator since all the sample code I have seen uses authenticator. It looks like ultimately you end up passing a user and password to both.

/** An object that knows how to authenticate with a remote server.
CBLAuthenticator is an opaque protocol; instances can be created by calling the factory methods
of the class of the same name. */
@property (nonatomic, strong, nullable) id authenticator;

/** The credential (generally username+password) to use to authenticate to the remote database.
This can either come from the URL itself (if it’s of the form “”)
or be stored in the NSURLCredentialStorage, which is a wrapper around the Keychain. /
@property (nonatomic, strong, nullable) NSURLCredential

The credential property is connected to the NSURLCredentialStorage, a registry for credentials. You can set it to register a login for that URL, either transiently (until quit) or persistently (in the app’s keychain.) Once you’ve registered the credential you don’t need to register it again.

The authenticator property is used to explicitly attach credentials to this specific replication instance. They won’t be persisted or shared.

The best way to manage username/password authentication is to prompt for it once, and then store the credential in the keychain. You can store it either by setting the credential property (making sure the credential object you create specifies persistence), or calling the NSURLCredentialStore directly.