I have a similar use case as written in the Node-RED docs:
For example, for a node to support an OAuth workflow, it must retain server-assigned tokens that the user never sees. The Twitter node provides a good example of how this can be achieved.
In my case I want to store a machine user clientSecret in the backend (server-assigned - the user is not supposed to see it). I know I could hash this secret, return it to my config-node, use it somewhere and replace the hashed secret with the real secret in the backend again if it's equal... however, is there a way how to persist the clientSecret in the backend and access it directly without exposing it to users?
This is a common problem for all server run code. The most secure answer is to use an external key store.
If you are using Windows, you can make use of the Credential Store potentially.
A lot of people tend to use an environment variable for this kind of thing but that really isn't a good idea since Node-RED would make it available to anyone who can edit flows.
However, once you have the secret, as long as you control it within the .js file's code and ensure that it isn't part of the export, it should be reasonably safe. So just wrap access in a function that sits outside the export. Preferably, that function would return a token, the secret should stay purely within that function where it shouldn't be accessible to other code running in Node-RED.