In the REST API, the values of secure management attributes are currently provided to authenticated users if "actuals" request parameter is set to true. This means if the user is using an insecure HTTP transport, the secure value will go over the wire unencrypted.