If you want to go ahead with implementing your own solution, a few things to consider:
Make sure you use a blocking http call and not async. Otherwise users could join the conference before the API call returns and password won’t yet be set. Perhaps use this function – http_get_with_retry
Because the calls will be synchronous, a slow response time from API could result in performance and usability issues.
You need to secure the API so it’s not publicly viewable but still accessible by the plugin. The http_get_with_retry already supports header-based auth tokens so that’s an option.
You’ll need to consider error conditions i.e. what happens if the API call fails?