Edit: It's not the token for Basic Auth like I thought! I didn't want to be "rude" and try to test the API with what I thought were a coworker's exposed credentials, but that would've done the trick to tell.
This is a security issue. As a user with permission to edit webhooks, you've now given me an option to "reveal" the secret key that is set on those webhooks. These aren't my keys. I have no business being able to see them. This is essentially giving me free reign to impersonate other admins on the account via the API. I essentially have a set of passwords for other accounts. You aren't able to see the key you generated again once you leave the API page. Why are secret keys being exposed on this page?