I’d like to have a parameter field for secret data that only allows for input, but doesn’t reveal its value and also doesn’t allow copy. Leaving the API tokens visible poses a potential risk. Another solution could be a secret storage (like GitHub Secrets) where you store all your tokens and then you reference them from the parameter fields.
API tokens in plugin settings
API tokens in General Settings (example: Zotero)