Quite honestly, the proper strategy would be to not use JavaScript at all for sensitive API calls. Sensitive API calls should only be made server-side (so that any "secret" keys, passwords, etc. never reach the browser).
The problem with storing a secret value somewhere and accessing it with JavaScript is that JavaScript would have to decode the value somewhere along the way in order to use it. That means a savvy user could view the source code for your page, open their browser JS tools, and execute the same commands to get the value. Not great for security.
On-premise SharePoint actually has a solution for this called the Secure Store Service, but part of why that works is it's designed for use in server-side code. As of yet, Microsoft hasn't released a client-side API for that service in SharePoint Online (probably because using it with JS would be less secure as I mentioned).
The "proper" strategy depends on your goals. You've got at least 2 options:
- If you want real security for your secret key/password/whatever, you'd need to develop a SharePoint Online "Hosted Add-In" which lives on another server or a cloud service like Azure. SharePoint provides "app parts" that wrap hosted add-ins with iframes and let you add them to a page, so you could use that to add your app to a SharePoint page and have it display results from an API call (very similar to how a Content Editor Web Part would look).
- If you don't need real security and "security by obscurity" is good enough, then I'd recommend storing the secret value in a SharePoint list and doing some "fake" encryption on it like Base64 encoding. Then decode the value in JavaScript after reading it from the list. If you want to add even more obscurity, you can use PowerShell or JavaScript to make the list hidden so users don't see it in their browser, but that also means you'd have to add/edit values through code.
