The values for discourse subscriptions secret key and discourse_subscriptions_webhook_secret are not being masked out in the plugin settings, they are visible there and are also visible in the staff action logs.
It’s probably better to hide them…
Are you sure Richard?:
client: false suggests they are not serialised unless you are admin and in admin route? (Otherwise you couldn’t set them)
This is not about client: true but about secret: true which masks the value (which can be toggled with the 
icon) and which removes the value from the staff action logs. This is the case for all other secrets and passwords in settings (like the secrets for Twitter, Facebook, Google oAuth2, Discord, Github, SSO client and provider etc etc)
As you can see secret: true is not present there.
