diff --git a/appdaemon/http.py b/appdaemon/http.py
index 5ee8490c4..21a1b7ceb 100644
--- a/appdaemon/http.py
+++ b/appdaemon/http.py
@@ -162,6 +162,8 @@ def __init__(self, ad: "AppDaemon", main_cfg: MainConfig) -> None:
         self.static_dirs = {}
 
         self._process_http(self.http)
+        if (cfg := main_cfg.http) is not None and (p := cfg.password) is not None:
+            self.password = p.get_secret_value()  # read secret directly
 
         self.app_endpoints = {}
         self.app_routes = {}
@@ -386,7 +388,6 @@ def _process_dashboard(self, dashboard):
         self.setup_dashboard_routes()
 
     def _process_http(self, http):
-        self._process_arg("password", http)
         self._process_arg("tokens", http)
         self._process_arg("work_factor", http)
         self._process_arg("ssl_certificate", http)
diff --git a/appdaemon/models/config/plugin.py b/appdaemon/models/config/plugin.py
index 2da1ca1c5..5eef49600 100644
--- a/appdaemon/models/config/plugin.py
+++ b/appdaemon/models/config/plugin.py
@@ -140,7 +140,7 @@ def auth_headers(self) -> dict:
         if self.token is not None:
             return {"Authorization": f"Bearer {self.token.get_secret_value()}"}
         elif self.ha_key is not None:
-            return {"x-ha-access": self.ha_key}
+            return {"x-ha-access": self.ha_key.get_secret_value()}
         raise ValueError("Home Assistant token not set")