To protect your APIs set as few permissions as possible for your application to work. For example, if you plan to use the API to collect data from a form, leave only the
Create (POST) permission. This way even if someone gets to know your endpoint, they won't be able to view or modify your data.
A request to an unauthorized endpoint will result in a
403 Forbidden error.