So far, the "best" solution I've found is to put them into a separate encrypted file, then unencrypting/encrypting them when I need them.

If the encrypted token lives on the same system where the decryption key is, you've gained nothing. The key and the encrypted credential can be obtained in the same way as the plain password, just with a bit more amount of fiddling.

So the secret has to be stored somewhere else. And the instance holding the secret has to be able to verify the requiring party to make sure it really is what it claims to be, and not being impersonated by something/someone else. That's hard - "it is damned hard to make a program fool proof, because fools are so ingenious." And good hackers (in the evil meaning of "good hackers") aren't fools.