Web APIs can only be called by an authenticated Appian user or service account.

There are five ways to authenticate when calling a web API:

Basic Authentication: Uses the Appian username and password embedded in the HTTP request header.
API Key Authentication: Generates a unique API key linked to a service account; API keys provide enhanced performance, security, and longevity over basic auth
OAuth 2.0 (Client Credentials Grant): Supports industry-standard OAuth flows for secure, delegated authentication using service accounts; enables token-based management for external apps.
Mutual TLS Authentication: Appian can also use mutual TLS for additional security, especially for enterprise-grade integrations
Session-Based Authentication: Used primarily for Appian-internal user sessions.

If you wish to invoke an Appian Web API from another system, you cannot use session-based authentication.

For more details visit here