https://community.appian.com/discussions/f/integrations/26522/securing-a-second-api-key-that-must-be-passed-in-a-headerWe have what is effectively an API broker or proxy tool between our Appian instance and an API we consume. The broker/proxy requires API Authentication to properly identify our system and allow access to the API&#39;s that it brokers. It does not howeveren-USTelligent Community 12https://community.appian.com/thread/104190?ContentTypeID=1Sat, 12 Nov 2022 18:05:25 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:8cd38697-dc89-4ef6-a4dd-b508a882f157Richard Nolan<p>That&#39;s an approach that I&#39;ve hashed out with others.&nbsp; We&#39;ve also gone back to the architects of this network configuration with some questions.&nbsp;&nbsp;<br /><br />My main concern here is that some escalation of privilege attack on an Appian environment could necessarily then have an escalation on another system.&nbsp;<br /><br />The advantage of encrypting the local constant based key is that it puts the vulnerable key in the admin console, which I like.&nbsp; It does however feel clunky.&nbsp; I&#39;d rather the underlying architecture owned this problem.</p> <p>Thanks for your response!</p><div style="clear:both;"></div>https://community.appian.com/thread/104180?ContentTypeID=1Sat, 12 Nov 2022 09:43:26 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:53d990f0-607e-40eb-91b7-167abf9aaed8Stefan Helzle<p>Any header in HTTP is clear text, that is why we use SSL to encrypt the transport.</p> <p>The encryption functions plugin can encrypt and decrypt strings using a static key stored in the secure credential store. So, you could put the encrypted API key into a constant and decrypt it on demand using that static key. That would at least increase the effort to get the access to the API key.</p><div style="clear:both;"></div>