Problem

A4J does not support secret storage. The obvious use case for storing a secret would be for outgoing web requests, where someone might require an API token in the custom request headers.

Suggested resolution

An ideal outcome would be a way for users to securely add and remove secrets per automation rule or project, similar to Bitbucket Pipelines variables (encrypted at rest), which can then be referenced from within automation rules.

Workaround

The "Send Web Request" action allows to HIDE any headers, including Authorization, which will obfuscate the key used. For users who would like to manage secrets in a storage so that it is easier to manage and update secrets in bulk, the best workaround for that at the moment is likely to use the new Automation Rule Management API, which is now in beta phase. Using the endpoints and scripts, users can check and update rules in bulk.