My composer.json:

{
    "config": {},
    "repositories": [{
        "type": "composer",
        "url": "https://secure.repo.url",
        "options":  {
            "http": {
                "header": [
                    "cf-access-token: <token>"
                ]
            }
        }
    }]
}

From the documentation here: https://getcomposer.org/doc/articles/authentication-for-private-packages.md#custom-token-authentication

It seems that there is no way to use this method of authentication securely. There is no way to define custom headers and tokens in auth.json. Additionally, repositories do not "merge" with the global composer file: so you cannot just define the secure repo in the project composer.json and then the authentication settings in the global one.

The only solution I have found so far is to not define the repository at all at the project level that does not seem ideal.

Composer configuration also does not support environment variables.

I noticed there is also a bearer auth method but only works if the Authorization header is required.

It seems like there should be a way of specifying secure/secret headers in auth.json.