Does "https.createSecureString" do token replacement for it's input using api secret script id's?