For most purposes this is safe enough, minus logging.
Your server must have the plain text password at one point, regardless of whether it logs on or logs on. In this case, the user forwards their password to the API via an HTTPS POST request. The server checks the password with a hash and salt password with many salt rounds using bcrypt and ideally after authentication generate a JWT. There is no way for an outsider (or you) to access the password. It has been securely transmitted over the Internet and has not left your secure server (unless you log it in). Be diligent with protocols; Make sure that no PPI is logged with passwords (some companies do and it really drives me crazy).
The passwords are hashed and not encrypted, in general, and with bcrypt (though depending on how deep you want to dive, bcrypt might be encrypted, but not for the reason that you think). Always refer to "hashed" passwords as the encryption refers to something completely different.
Assuming the server is securely hosted (if you are using a third-party container service, this is probably the case).
For example, suppose the password is passed to the API over HTTPS and can not be caught during the transfer. Depending on the application, you may want to pending attaching certificates to avoid MITM attacks over HTTPS.
By using bcrypt, you have already made a contribution to the secure storage of passwords.