Thank you,

so currently I can't use password2 in my scripts?

We have several uses for this. We have a bunch of REST outgoing messages to a 3rd party server. In domain-separated scenario each customer (through scripts) will call REST APIs but with own credentials. So Domain1 user will call with domain1 credentials and Domain2 with domain2 credentials. We use script include to dynamically set connection passwords on the fly while calling REST messages. Maybe you know a better way? We originally used this script wrapper (because we had to be Berlin-compatible):https://community.servicenow.com/community/develop/blog/2014/01/29/scriptable-rest-message-library

But now, for scoped app I wonder if RESTMessagev2 would just replace it.  

What if you stored the credentials in the REST message definition and created separate messages for each domain? The RESTMessage2 API will be able to retrieve and decrypt the credentials stored in the message. The only other option I'm aware of is to store the passwords in a sys_property of type password2. Then your script can access the clear text simply by calling gs.getProperty('encrypted_property_name').

Potentially we will have hundreds of domains so it will be like domainsX30 rest messages - we tried it and it was ugly

As we convert our app we store passwords in our own table in password2 field. So potentially I could use RESTMessagev2.setBasicAuth and pass password2 in script.

I just was confused with your comment " There's talk of supporting a new password2 field element API in a future patch. This should allow for decrypting of encrypted fields within the same scope"

So can we now decrypt password2 in script include in scoped app?