1. How to Hide Credentials used in generating session . Logged In User session is not working to run custom code without admin privileges hence used plain text credentials in custom code
You cannot, because it is plain JS code in there, thus credentials will always be there. The way to mock it up is to setup servlet on the web server, which would handle the requests and put credentials in there by doing handshake to API.
2. Is there a way to run custom code without accessing record(view/edit mode). scenario is "once a expiry date is hit ,it should revoke user access through custom code which is not happening unless record is accessed.
No, Custom Objects are running per user interaction with the page. Again, you can use servlet.
David Petty wrote a wonderful guide which would address most of your questions in here:
https://community.rsa.com/community/products/archer-grc/archer-customer-partner-community/custom-objects/blog/2018/05/18/custom-objects-and-you
