TL;DR for sensitive fields

1. commandline

nodal new sensitive-fields
cd sensitive-fields
nodal g:model --user
nodal g:controller --for users
nodal db:create
nodal db:prepare
nodal db:migrate
nodal s

2. users.js

module.exports = (function() {

  'use strict';

  const Nodal = require('nodal');
  const bcrypt = require('bcrypt');

  class User extends Nodal.Model {

    beforeSave(callback) {

      if (!this.hasErrors() && this.hasChanged('password')) {

        bcrypt.hash(this.get('password'), 10, (err, hash) => {

          if (err) {
            return callback(new Error('Could not encrypt password'));
          }

          this.__safeSet__('password', hash);
          callback();

        });

      } else {

        callback();

      }

    }

    verifyPassword(unencrypted, callback) {

      bcrypt.compare(unencrypted, this.get('password'), (err, result) => {
        callback.call(this, err, result);
      });

    }

  }

  User.setDatabase(Nodal.require('db/main.js'));
  User.setSchema(Nodal.my.Schema.models.User);

  User.validates('email', 'must be valid', v => v && (v + '').match(/.+@.+\.\w+/i));
  User.validates('password', 'must be at least 5 characters in length', v => v && v.length >= 5);
  
  // Password will NEVER be shown as the output of an API response
  User.hides('password');

  return User;

})();

3. request&response

POST to localhost:3000/users with username:nick email:nsipplswezey@gmail.com password:password 

{
  "meta": {
    "total": 1,
    "count": 1,
    "offset": 0,
    "error": null
  },
  "data": [
    {
      "id": 1,
      "email": "nsipplswezey@gmail.com",
      "username": "nick",
      "created_at": "2016-05-22T02:04:27.038Z",
      "updated_at": "2016-05-22T02:04:27.149Z"
    }
  ]
}