You provide the public key for instance for the web user on the initial provision. I suppose you could also add extra keys for someone else or for another computer by adding them to users.yml for the admin user.
However, the general workflow is for example using Digital Ocean, when you spin up a new droplet, you are able to add public keys from there (which would allow you to SSH directly to the server without using the provided password).
If you do this, then you would not need to use a password. Of course, if you spin up a server and there is no public key added, then yes you do need to use a password to login for the first time.
Also, you add public keys because that’s all that needed to validate your private key that remains on your computer… public keys are just that, public, and can be shared. You should never be sending your private SSH key anywhere.