If you are okay with admin access to the tokens: I use a dedicated database in a separate space for API tokens and other environment variables that my scripts use. Your script can then access these at runtime without directly exposing them in the code. Regarding Postman, that works on your local machine not on the fibery server afaik.
Additionally you could slightly obfuscate the token in your script (e.g., by converting them with a key stored in a field or splitting it into parts and combining them at runtime). This is weak security, but better than directly exposing the full token in a database field or in the script.