We have a long lasting Bearer token that we want to use in a Retool Resource.
How do we keep it secret from those who have access to the resources and the queries?
I figured out how to accomplish that with Basic Auth in the resource so I don't have to put it in the query, but this new API needs to pass a long lasting Bearer token.
Ideas on how to accomplish that?
There's an experimental feature flag for that mentioned here! If you're interested in trying it out you can reach out to support@retool.com 
Interesting, but someone could still hover over the variable and its value would display? And could they not just go read the value where it is set?
You can set environment variables to be encrypted so that they're only visible to Admins through the UI, and in that case, the hover preview is disabled:
People with edit access could create a resource that uses the variable and hit something like Postman Echo with it to reveal what the variable is though.
There's a known feature request for being added more encryption functionality to REST API resources which would provide more security. I can report back here about that as well.