There is no absolutely safe way to store such information permanently.
You have two options to increase security a little bit:
- Use the options table and encrypt the data
Use a strong encryption method, and bind it to either:
- your password when you want to use the API call only when you are logged in, or
- a secret key stored in your
wp-config.php– then an attacker needs both, the PHP code and the database
- Store the access information outside of WordPress
If you are using a system for automatic deployment, for example based on Composer and wpstarter, you have probably some kind of deployment server like Envoyer that creates a file with important configuration variables that is stored outside of the site server’s document root.
Then you can use the deployment server’s backend instead of the WordPress backend to change these data.
Both options are not completely safe. You still have to monitor the actual API usage to detect unintended activities. Make sure there is a log that cannot be compromised from someone with full access to your website.