When calling an external API, you may need to pass along an API token or similar form of secret-based authentication. Instead of placing that information in every relevant node in every relevant flow, you can store it securely as a secret.
Once stored, secrets are not displayed in plain text but instead referenced by name when specifying what headers to send in an API call. When a secret changes (such as because your API keys have rotated) you can replace it in one place to update all nodes that use it across all flows.
Secrets can be managed from the Organization section of your Settings page. Managing secrets requires that you have permission to edit flows.