It really depends on what type of key you are talking about.
If you are asking people to paste a key into your app, and then you are using that as a parameter on a URL … it had better be for something fairly safe.
However it looks like you are talking about Oauth2 which is a very different thing.
The keys are in the Header, not the URL.
And in this case you are usually given a time limited token, which can be refreshed. If you don’t have the right credentials … you can’t refresh. If the user revokes access - it can’t be refreshed.
So whilst you should be looking after the Token, they are, by design, limited in the damage they can do should they get into the wild.
Therefore, storing it in the database in text is probably no terrible thing. Particularly as you need other credentials as well.
The issue we have with Bubble is that we also have to store OUR creds in text.
I have asked several times that the “secret” implemented in the Server Side Plugins should be available in the API connector.
The way I have got round this before is to use a third party to hold the tokens (in this case auth0) or use a small webtask to run the call. This means the credentials are not all in Bubble.