Hello, to store (hard code) codes or secrets in your Azure AD B2C custom policies or application source code is not a recommended practice.
You can secure the communication between your custom policy and API using a client certificate or an OAuth2 bearer token. Secrets involved in any of the aforementioned approaches will be stored as policy keys, access tokens can be retrieved on the fly or stored as a policy key too.
Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.