It seems like sensitive workflow constants in NW2010 are *extremely* restricted in where they can be referenced. I understand the sensitivity, but it also can make them not particularly useful. For instance, if you want to make an OAuth call with Call Web Request, you'll need to pass the bearer token as an HTTP header. This is typically a value that's pretty sensitive, but I can't find a way to actually plug in a value that wouldn't be trivially easy for a site owner/workflow designer to obtain.
Well; since it didn't really get an answer I'm suggesting that it's not solved yet. At least in case for future requestst.
I want to do the same thing. I have to make an web request to another business application and the API of that application states that I need to include both username and password in the URL.
I would like to do this via a Secure Workflow Constant (Secure String) but that isn't available in the Web Request Action.
What is the best option for me to not have this URL and Password visible for everyone?
Thanks for your reply.