Create an OAuth2UserTokenExchange destination in BTP CF using MTA.yaml

Dear Community,

I'm working on a project where i would like to consume a cap based OData service, which should act as a common service, deployed in CF from different UI5 application. Each of these UI5 applications has in turn a dedicated cap based service and is deployed via a dedicated mta.yaml. To allow the UI5 Applications to access the commen service i would like to create an OAuth2UserTokenExchange based destination in the mta.yaml so that the destination is created automatically when deploying the application. How can i achieve this in mta.yaml without providing providing the client id and client secret in mta.yaml in clear text. Here is the current resource definition

resources:
  - name: app-api-destination
    type: org.cloudfoundry.managed-service
    requires:
      - name: srv-api
    parameters:
      service: destination
      service-plan: lite
      config:
        init_data:
          subaccount:
            existing_destinations_policy: update
            destinations:
              - Name: app-api-destination
                Description: app-api-destination
                Authentication: OAuth2UserTokenExchange
                ProxyType: Internet
                Type: HTTP
                URL: https://subdomain-app-srv.cfapps.eu10.hana.ondemand.com
                tokenServiceURL: https://subdomain.authentication.eu10.hana.ondemand.com/oauth/token
                clientId: CLIENT-ID
                clientSecret: CLIENT-SECRET                                  
                HTML5.DynamicDestination: true
                TrustAll: true       

Best regards,

George