Is there possible way to hide API Key in EML file when sent mail with adaptive card in outlook?

Certified Senior Developer

I recently received a requirement to enable the acceptance or rejection of tasks directly through email by clicking a button, rather than navigating into Appian. To achieve this, I created a Web API to trigger the process model and configured it with a service account for external access. Additionally, I utilized Actionable Messages with Adaptive Cards for Outlook and designed an HTML template using the below Adaptive JSON code

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
	    <script type="application/adaptivecard+json">
      {
        "type": "AdaptiveCard",
        "hideOriginalBody":true,
        "body": [
          {
            "type": "Container",
            "id": "353b659f-b668-fac0-5b7f-5d2f1bdb46ac",
            "padding": "Default",
            "items": [
              {
                "type": "ActionSet",
                "actions": [
                  {
                    "type": "Action.Http",
                    "id": "accept",
                    "title": "Accept",
                    "method": "POST",
                    "url": "----------------- APPIAN API END POINT -----------------",
                    "headers": [
                      {
                        "name": "Appian-API-Key",
                        "value": "----------------- APPIAN API KEY -----------------"
                      },
                      {
                        "name": "content-type",
                        "value": "application/json"
                      },
					  {
                        "name": "Authorization",
                        "value": ""
                      }
                    ],
                    "body":"###body###",
                    "isPrimary": true,
                    "style": "positive"
                  },
                  {
                    "type": "Action.Http",
                    "id": "reject",
                    "title": "Reject",
                    "method": "POST",
                    "url": "----------------- APPIAN API END POINT -----------------",
                    "headers": [
                      {
                        "name": "Appian-API-Key",
                        "value": "----------------- APPIAN API KEY -----------------"
                      },
                      {
                        "name": "content-type",
                        "value": "application/json"
                      },
					  					  {
                        "name": "Authorization",
                        "value": ""
                      }
                    ],
                    "body":"###body###",

                  }
                ],
                "spacing": "None"
              }
            ],
            "spacing": "None",
            "separator": true
          }
        ],
        "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
        "version": "1.0",
        "padding": "None",
        "originator": "----------------- MICROSOFT ORIGINATOR ID -----------------"
      }
    </script>
  </head>
  <body>

  </body>
</html>

and configure it "Send Email" smart service. Once I send an email, I receive the mail with two buttons as described below.

Clicking the buttons triggers the process model in the API and everything works fine. However, when I download the EML file of that email, it exposes the endpoint along with the Appian API Key in the Adaptive JSON code. It would be beneficial to find a solution that prevents the exposure of the endpoint and API, or encrypts it in any form, while ensuring that the functionality works seamlessly.

  Discussion posts and replies are publicly visible