Some previous discussion around this in this thread:
In general, the most important thing is to limit the scope of where you secret can possibly be read from. There's some filesystem based suggestions in that thread that are good practice. Environment variables can work, but aren't guaranteed to be as isolated as you might like them to be, as @pturmel points out in that thread.
Ideally, anything interacting with an API would eventually become an Ignition module - in that case, you can store them encrypted & salted in the internal DB, which is a nice bonus.