What a waste of time and tax payer money. Might as well just make the API public and add some CORS headers. Or require an API key and have the website dynamically generate them internally with a short expiration.
The encryption dance being performed here is all theater and the acting sucks.
Some people have theorized it wasn't Amtrak who wanted the bs encryption (also probably why the keys haven't changed in 3 years and they've made no effort to prevent people from grabbing this data) but actually some sort of National Security jargon.