You are exactly right, from the API there is no designator to enable if this is a secret http value or not. It can only be done in the UI as of today. I would recommend tossing in a RFE so they can build that in to the API.
Test Results off:
I wonder if you just need to pass the value encoded for it to work, but i'd have to leave that to be confirmed from a Dev person.
If you use the settings API (POST /api/v2/settings/objects) instead of the problem notifications API, you can create secret HTTP header values through the API. We're in the process of figuring out how to communicate this to the broader audience. Here is an example payload:
After the POST call, you can't read the secret values in the UI (duh), but if you try it out, e.g. with webhook.site, you'll see that this works just fine.
Hope this helps,