Any help appreciated!
Juan Pablo Isaza
Short answer: you can't.
Once your API is public on the Internet, everything can connect to it as long as it has network capabilities. Telnet, HTTP, Go program, Node.js scripts, Python scripts, etcetera.
You can limit your API access by using CORS policy, authorization header, user-agent header, referrer header, rate limiter and the like, but it's only a deterrent and everything can be spoofed by a malicious user.
In my opinion, you shouldn't worry about that, really. If you really really want security, and do not want others to access your API, consider implementing a user authentication system with JWT or sessions with secure cookies. It's the best way to protect your endpoints.
Check out these OWASP articles below to learn more about API security.
If you want to learn more about secure cookies and user authentication in Express, you can check the following articles:
I also have one more good article, it's in Go, but you can adapt the concepts in Express.js as well. Here's the link.