There are many ways to save API tokens in an Obsidian plugin:
- Plugin settings (possibly w/obfuscation); Pros: syncs to mobile, easy access. Con: can’t be easily shared across vaults
- Local storage; Pros: not too hard to access, accessible between vaults. Con: extra coding complexity, especially if you want different keys in different vaults.
- OS-level Environment; Pros: easy to access, never synced, global to all vaults. Cons: hard for users to configure, never synced, and global to all vaults.
I wouldn’t think of .env files as being in the top three - they are among other things, only really usable in desktop (on mobile you can’t access arbitrary files), hard for users to create and edit, and add more complexity to your plugin to access them, especially in arbitrary locations.
Finally, if you are only supporting desktop and no sync to other machines, you can potentially also use Electron safeStorage encryption to encrypt keys while they are saved in settings or localStorage. (But then you can only access them on the same desktop where you encrypted them.)