Oh hey, one of the concerns with using the Web Request action is that if your request requires authentication, then your password or token is visible to all Jira Administrators and more troubling, to Project Administrators (who maybe only needed that permission to add/manage Versions or Components/Leads.)
The issue (specifically pertaining to the Jira API, but it applies to any web request that requires credentials) was documented well by @Wolfgang Landes here:
In response, @bmccoy did create AUT-2117 which is still open, but it looks like Atlassian may have provided something of a workaround:
Well, that's new! So cool. If you can't obscure the tokens/passwords for web requests, at least you can limit who can view/edit those rules. Good stuff Atlassian. Now can you please put it in the Release Notes?
And yes, why I do subscribe to the Atlassian Cloud Documentation blog and did not see this mentioned anywhere. Thanks for asking! :-}