Currently, when you want to deploy a new self-hosted integration, the organization's client ID and client secret are used by default.

So, if the client ID and client secret are leaked or need to be changed, you must change the client ID and client secret for all integrations that you host yourself

A better way would be to generate a new service account for a new integration, so you have only one key to manage per integration

This is in line with the principle of least privilege and allows for easy, secure management of dedicated service accounts