Why and how to encrypt the app key

I try to upgrade an application to the V3 API in which I have trigger a device creation. Understood so far, that I have to call several API endpoints to create the enddevice, works well so fare.

The thing I’m struggling is, the submission of the app_key as an KeyEnvelope. I have to provide three values:

key (not encryted from AES)
kek_label (used to encrypt)

Not clear why I have to provide those things, for security reason ? If yes, then does it make sense to submit the key, the encrypted and the kek together ? Or do I misunderstood something ?

Does anyone have a hint how I create those values with c#

Thanks a million