I was going around the GUI and while checking a job and clicking “Command Line…”, there it is, my app ID and app key in plain text in the “Target URL” field. I have a password set to access the GUI, but isn’t that a security concern? It hides them in the job configuration menu, but not here.
It’s going to show your password there, and it will also show it when you export a configuration (if you leave the default option checked that exports passwords). Personally I don’t view this as a security concern. If someone has access to your Duplicati web console, all bets are off anyway.
By default the web UI is only accessible on the local machine (not over the network), and Duplicati prompts you to set a password on the web UI if it’s a multiuser machine for added security (which it seems you have already done).