Referencing sensitive values in a Service Mesh Configuration entry

Header manipulation with a service-router service mesh configuration entry kind is quite useful.

Let us say that I want to use that feature to automatically inject a API key for an outbound request out of the mesh through a terminating gateway. Is it a good idea to store the sensitive value in the configuration entry itself & just secure its access through a suitable ACL policy? Or is there an alternate recommended way?