As long as the bearer token is appropriate a system token (for all users of the app), then the environment variable option fits. For example, with client_credentials for the app itself.
On the other hand, if you need per-tenant or per-user secrets, then you would want the Forge secure storage feature just announced here: