You are exactly right, from the API there is no designator to enable if this is a secret http value or not. It can only be done in the UI as of today. I would recommend tossing in a RFE so they can build that in to the API.
Test Results off:
I wonder if you just need to pass the value encoded for it to work, but i'd have to leave that to be confirmed from a Dev person.