I think there is a long discussion about this here in discuss. @amaster507 do you know how?
Maybe you could use the next thing I mention about NGINX bellow.
You can hide any key behind via NGINX header passthrough proxy_set_header X-Dgraph-AccessToken your-key-here. But never do this with admin keys. Cuz with admin you can edit/see /admin configs.
With this you can create a proxy between your API or something - between lambda and the API. With proxy_set_header the key will be passed.
Not sure, there is a new guideline from Google that prohibits browsers and engines from communicating with non-HTTPS applications whether it comes from a protected site or not. Only HTTP to HTTP or HTTPS to HTTPS.