Thank you for your questions. I am sorry for the delay replying to this - the HAT tech team is currently very busy preparing for the 1st of July launch.
In the current architecture, Direct Debit (D2) accounts are set up on each existing and new HAT by Platform Providers because are responsible for certifying/verifying Data Debit and application accounts. Typically that would be done when a certified app requests the platform to create an account on a HAT.
To mitigate security risks, Platform Providers may receive only BCrypt-hashed (one-way encrypted) password, so that only the account holder (e.g. app) knows the password. On the HAT, when the account holder sends the password, it is hashed with the same BCrypt algorithm and compared to previously saved encrypted password, held by the Platform Provider. Bcrypt algorithm is described here: https://en.wikipedia.org/wiki/Bcrypt.
By signing up for a HAT with a HAT Platform Provider, you become Owner of your HAT and you are provided with a Universally Unique Identifier (UUID) to serve as the identification for your HAT. So yes, "UserID" denotes the HAT ID who is using the new app, i.e. UUID, which is simply a 128-bit value. "Email" refers to the app user's email, "name" to the "app name” (or owner name). "Pass" is short for "password", which is created by the account holder and set up via the Platform Provider.
Hope this helps