(Q3) That’s correct, the configuration object is meant to pass information in one way, from the outside to the rules logic so it does not seem applicable.
(Q2) The recycling policy is not configurable.
(Q1) To my knowledge, there’s no other built-in way to cache it so the characteristics offered by the global object are what’s available. In addition to that, I can only think of workarounds like considering brokering the API consumption through another endpoint and support another sort of client authentication mechanism like an API key on that endpoint. This way the endpoint rules would call would require the API key approach and hide the client credentials grant aspects of it required by the underlying API.