IoTaWatt uses Digest authentication. It is more secure and does not send passwords in plaintext, but rather sends a “digest” or cryptographic hashed version of it. It does this in response to a 401 Authenticate response by the IoTaWatt (server). The 401 request contains the method of authentication accepted (Digest) and some parameters that are used by the client to compose the Digest such that it is unique and not useful for replay attacks.
As I said, I don’t use curl very often, but googling “curl digest authentication” and skimming the results, it looks like you might need to add the --digest option to both inhibit initially sending your --auth credentials in plaintext in a Basic authorization header, and to enable curl to properly respond to the 401 authenticate initial reply.