It is in the database. There are varying formats for the password, though the default is bcrypt. It would be possible for this to be accessed via the database directly, though this would require custom coding to authenticate.
Yes. (Though 2.1 does also potentially expose some of the new options for password_hash if your PHP supports it. That's entirely opt-in via the config file though, as it also requires non-standard PHP compilations.)
This is a temporary location for the XF 2.1 API end point documentation. It will likely move to the core developer documentation at some point in the future. This document assumes you have already created an API key and setup the necessary headers for your request. Learn more about using the API.