How to store a secret for a plugin inside public_html

My friend has a WordPress site, I have a django server. I am trying to talk to his WordPress site custom endpoints of the REST API, and do priviledged activities like create and unpublish posts. I am making a plugin for him.

My friends wordpress hosting has the following structure:

public_html
    - wp-admin
    - wp-content
        - plugins
            - My-Shiny-New-REST-Plugin
                - secret.php
    - wp-includes

In order for the WordPress REST API and my server to talk together, I wish for them to both have copies of a secret key. On the wordpress site it will be stored in secret.php above. Now what concerns me, as far as I can see is that php code seems to be public (django python code is private). And I imagine secret.php is not very secret at all.

How does one store a secret token for ones plugin in a secure way?