The solution depends on who you are securing the access key from. If from a site’s visitors, the options table is fine. If you need to secure from the site’s admin, saving it anywhere on their server is impractical unless it’s encrypted. If it’s encrypted, where would the decryption key come from? Saving the decryption key on their server isn’t very secure. Your plugin would need to fetch the decryption key from elsewhere, such as a server you control. If you go through that effort, why not just fetch the access key itself?
Even then, a site admin could sniff network traffic and discover the key at some point where it is in plain text form. If you cannot trust the site admin, then you probably should not be using your own key and should require them to get their own.
Having your plugin fetch data from your own server has privacy implications that need to be considered whether you are actually collecting user data or not.
Are you sure security is even warranted? For example, the API key for the Google Geocoding service can be associated with a specific server IP and is useless from anywhere else, thus public knowledge of the key does not present any risk. Maybe not a practical solution for your plugin, it’s just an example of an alternative way of securing a key from unauthorized use.