I had seen the API documentation, which describes how to interact with PKP applications using the API.
On the authentication section it explains how to configure the API key.
Under the hood, a secret on the configuration file (api_secret_key) is used to generate the API key with JWT.
Seems that JWT could be used to encrypt and store plugin credentials too, using some sort of secret key (maybe plugin specific). But I wanna know if there is some recommendation for plugin developers first.