Hi Harry, although the constant is a often used solution for this, everyone with access to the environments and teamserver could retrieve the values.
A safer solution would be the use of the Encryption module in combination with a Settings entity. In de settings entity you could store your endpoint and username and password. Saving of changing your password could be done in asimilar way you change your ‘Account’ password where you encrypt while saving and decrypt when using it to call the REST endpoint.
If the password/key should be editable front-end, I prefer the implementation with the Encryption module. This is perfectly shown in the EmailTemplate module for the SMTP-password.
If the password/key is not editable front-end, the Mendix constants are just fine. If someone does not have transportation rights to the environment, that person cannot view the constants (see error screenshot below). And you can also Mask the value, such that you don't show it accidentally when showing/sharing your screen or exporting the constants to an Excel (see second screenshot below).