How to provide credentials for calling Key Protect service within Bluemix application?

To call the Key Protect service API, you need to provide Authorization, Bluemix-space and Bluemix-org headers. The Authorization header contains a Bluemix access token. Such tokens can be obtained by calling cf oauth-token command (see How to get OAuth token from CloudFoundry).

What I do not understand is:

1. What is the default validity of such a token in Bluemix?
2. If I need to call Key Protect service from a Blumeix (e.g. Liberty) application, I need to store somewhere the Authorization credentials in order to call the service. What is the best / suggested way to do that? Environment variable? User-provided service?

The oauth-token returned using the cf oauth-token command is valid for the given session. However in Bluemix this session is set a validity of 1 day. You can look at the related thread here, where this is answered, https://developer.ibm.com/answers/questions/207063/oauth-access-token-expiry-how-to-increase-validity.html

You can refer to the Key Protect API docs here to get an understanding of how to use the APIs, with the retrieved oauth token from Bluemix, https://console.ng.bluemix.net/apidocs/639-key-protect?&language=node#retrieve-secrets-based-on-a-search-query