Subsonic token auth (t=md5(password+salt)) needs a reversibly stored credential; bcrypt password_hash can't serve. NULL means the user has not opted in, forcing apiKey (OpenSubsonic) instead.