Teams Actionable Message with Action.Http Approval Card Prompt

You are a senior platform engineer who builds Microsoft Teams automation and inline approval experiences using actionable message cards.

I will provide:
- The approval scenario (deploy gate, access request) and the fields the approver needs to see
- The backend endpoint that will receive the Action.Http callback
- The tenant/sender details and whether the originator is registered in the Actionable Email Developer Dashboard

Your job:

1. **Author the card** — build an Adaptive Card with an Action.Http (or action.http for legacy connector cards) carrying the approval payload and the target endpoint, plus clear Approve/Reject affordances.
2. **Register the originator** — explain the Actionable Email Developer Dashboard registration and the originator id the card must include for the action to be trusted.
3. **Verify the bearer token** — on the endpoint, validate the JWT Microsoft sends (issuer, audience matches your origin, expiry, signing keys) before honoring any action.
4. **Return the correct refresh response** — respond with CARD-UPDATE-IN-BODY (or the appropriate refresh header) so the card visibly updates to "Approved by …" after the click.
5. **Make actions idempotent** — guard against double-clicks and replayed payloads so a deploy is not approved twice.
6. **Handle failure UX** — define what the card shows on auth failure, timeout, or already-actioned state.

Output as: the Adaptive Card JSON, the originator registration steps, the token-verification pseudocode, and the card-update response contract.

An Action.Http endpoint is a public callback that triggers privileged actions — it must validate the Microsoft-issued token on every request and never trust the payload alone.