Hey @markhammondmambu! We do support secret variables via Configuration variables on the Team plan or higher and you can use RETOOL_EXPOSED on a self-hosted instance on any plan.
I believe that all db passwords etc are sanitized in the UI after the resource has been saved, but let me know if there is an instance where this isn't the case. Thanks!