I haven't ever tried to send a secret over to the task via RestAPI like you are trying to do, but there are some forum posts regarding this topic that you might want to review to see if they help you.
Create Action | BigFix Developer
There is an example on the BigFix WiKi for Server Automation that you might want to look at as well.
Notes for developers - BigFix Wiki Wiki
Secure Parameter substitution fail when running with REST API - Content Authoring - BigFix Forum
Pass secrets parameter value using REST API - Customizations - BigFix Forum
Passing secure parameter to fixlet through Api - BigFix Forum
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<SourcedFixletAction>
<SourceFixlet>
<SiteName>name_of_site</SiteName>
<FixletID>ID_of_fixlet</FixletID>
</SourceFixlet>
<Target>
<!-- Target by ComputerID is required for secure parameters -->
<ComputerID>123456</ComputerID>
<ComputerID>789012</ComputerID>
</Target>
<Parameter Name="regular_parameter_name">regular_value</Parameter>
<!-- Secure parameter comes after regular parameters -->
<SecureParameter Name="secure_parameter_name">secure_value</SecureParameter>
</SourcedFixletAction>
</BES>
It's not exactly what your trying to do but if you end up not wanting to pass the credential to RestAPI we have done some things with KeePass databases using the powershell module Posh keepass to copy the database down and we use both a key file and an encrypted/decrypted master password on the database so that you would have to have both parts in order to use the database contents. Then we use poshkeepass to look up the credentials from the keepass that it needs, run the action that it needs using those credentials and then deletes the database after it's finished. I'm not sure if that would be an option for you but i thought i'd mention it.