Using External Credentials from Salesforce Named Credential in Apex

To securely manage sensitive data such as API keys, one approach is to store the key using External Credentials and associate it with a Named Credential in Salesforce. Within the External Credential configuration, a Principal is defined to hold the API key securely.

In this below scenario, an attempt was made to reference the API key within an Apex class by injecting the secret into the endpoint URL:

String apiKey = '{!$Credential.GooglePlacesAPINew.api_key}';

String url = NAMED_CREDENTIAL_NEW + AUTOCOMPLETE_ENDPOINT +
             '?input=' + EncodingUtil.urlEncode(input, 'UTF-8') +
             '&types=address' +
             '&key=' + apiKey;

This resulted in the following error:

getting address predictions: Illegal character in opaque part at index 137: callout:GooglePlacesAPINewNamedCred/maps/api/place/autocomplete/json?input=10-25%2F141%2C+ri+s+Na+34143836&types=address&key={!HTMLENCODE($Credential.GooglePlacesAPINew.api_key)}

This Behaviours is WAD -

This behavior is working as designed. Salesforce does not allow encrypted (secret) values to be substituted into endpoint URLs when using Named Credentials. This limitation exists to prevent the potential exposure of sensitive data via URL parameters, which could be logged or cached in unintended ways.