I've stumbled upon this problem which I just can't seem to figure out..

I am currently in the midst of developing my own Wordpress plugin. The plugin I'm building serves as a dashboard interface that displays all sorts of useful information. Some of this information is received by using external API's that require API keys in order to gain acces to their services.

However this key is still bound to me. It's a personal key which I rather not leak into my application. So I've tried ways to encrypt it or make it less noticeable within the plugin, but this only works to a certain extent.

So I thought I'd try a different approach. Now I want to create my own server space that is handling all these API calls for me.

But my question is. How do I distinguish the calls that are made directly from my plugin users, to the ones that are just made by random users who somehow got hold of my server URL?

Because I want to forbid usage from the server as much as possible from people who aren't directly associated with my plugin.