Trigger builds remotely/authentication token is a textbox. If you use per-project based security and enabled extended read, the token isn't obfuscated.

Could you turn the textbox to a password field?

I understand it is a corner case but the authentication token should be considered a password IMO.