My script integrates with an API which needs an access token. I’ve read about [levels of security](https://stackoverflow.com/a/12461944) and I’m hoping to implement at least the level where “Security provided by encryption that can be broken with some effort.” or better yet “Security provided by encryption that is impractical to break given current hardware.”

So I’m thinking I’ll encrypt this access token, put this encrypted token in a config file/environment variable. And then in the script, I would decrypt it back before using it for the API.

I wonder though if this really does make it more secure, and if so, how? Can't the attacker just look into the script and see how the access token is decrypted back? Is it possible somehow that someone can have access to the config file/environment variable without having access to the script which sits in the same machine?