Currently if calling an authenticated webservice in another app, the username/password can be either hardcoded or a constant. Either way the password will end up sitting in the codebase unprotected. The option of using a Microflow or xpath to retrieve a value would mean we could store it in an entity and encrypt it, improving the security of the solution.