We have middleware which does KYC verification was associated documents to entities(deals/accounts/contacts) in freshworks_crm.
It uploads documents to freshworks and also sends to external API to validate. For these two operations we need respective API keys which is taken as an input from custom app configuration. API keys are not set to secure because we had to fetch them and send it to middleware.
We have submitted the app for review and received following comment