I recently received a requirement to enable the acceptance or rejection of tasks directly through email by clicking a button, rather than navigating into Appian. To achieve this, I created a Web API to trigger the process model and configured it with a service account for external access. Additionally, I utilized Actionable Messages with Adaptive Cards for Outlook and designed an HTML template using the below Adaptive JSON code
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <script type="application/adaptivecard+json"> { "type": "AdaptiveCard", "hideOriginalBody":true, "body": [ { "type": "Container", "id": "353b659f-b668-fac0-5b7f-5d2f1bdb46ac", "padding": "Default", "items": [ { "type": "ActionSet", "actions": [ { "type": "Action.Http", "id": "accept", "title": "Accept", "method": "POST", "url": "----------------- APPIAN API END POINT -----------------", "headers": [ { "name": "Appian-API-Key", "value": "----------------- APPIAN API KEY -----------------" }, { "name": "content-type", "value": "application/json" }, { "name": "Authorization", "value": "" } ], "body":"###body###", "isPrimary": true, "style": "positive" }, { "type": "Action.Http", "id": "reject", "title": "Reject", "method": "POST", "url": "----------------- APPIAN API END POINT -----------------", "headers": [ { "name": "Appian-API-Key", "value": "----------------- APPIAN API KEY -----------------" }, { "name": "content-type", "value": "application/json" }, { "name": "Authorization", "value": "" } ], "body":"###body###", } ], "spacing": "None" } ], "spacing": "None", "separator": true } ], "$schema": "http://adaptivecards.io/schemas/adaptive-card.json", "version": "1.0", "padding": "None", "originator": "----------------- MICROSOFT ORIGINATOR ID -----------------" } </script> </head> <body> </body> </html>
and configure it "Send Email" smart service. Once I send an email, I receive the mail with two buttons as described below.
Clicking the buttons triggers the process model in the API and everything works fine. However, when I download the EML file of that email, it exposes the endpoint along with the Appian API Key in the Adaptive JSON code. It would be beneficial to find a solution that prevents the exposure of the endpoint and API, or encrypts it in any form, while ensuring that the functionality works seamlessly.
Discussion posts and replies are publicly visible
IMHO, that whole requirement feels like an idea I would refuse to implement.
And no, to call that API you need credentials and I think there is no way to somehow include these in a secure way.