Unless you have a very, very convincing reason to do so, passwords should never be sent back from an API endpoint, should never be decrypted, should never leave the database.
Using bcrypt as an example (since you mentioned it), a standard email/password authentication would roughly go:
There should only be three times that column is ever hit in the DB - creating an account, logging in with password, and resetting a password.
With all that in mind, is there any convincing reason your app needs such a massive security vulnerability? If there isn't, problem solved - you don't need to decrypt anything, the password column won't even be in your queries, and there shouldn't be any search slowdown.
* edit: technically it can still be cracked in other ways, but assuming a strong password, this needs an unrealistic amount of compute power/time