How do I prevent abuse of my api's by 3rd parties in javascript?

Question

I have an endpoint that verifies that email addresses are deliverable call it https://testService.com/verify. This endpoint comes with an api key, lets call it 'AbCd' if you concatenate both of those things and an email address in a query string and perform a get request, it gives tells you if the email address is deliverable. I am using this to validate a form and only submit if the email address is deliverable. The page where this is being used is an e-commerce landing page were no login is required so using google O-auth is not a possibility.

The problem becomes I cannot hardcode the api key "AbCd" in the front end because it is then insecure and theoretically someone could rip the api key and use the service on their own forms on our dime.

Conventional wisdom says I should execute this call on the back end and then forward the response to the app however if I make a call from the back end the front end still has to call the back end, you can find where it is making the call from the network tab and then use it in other apps.

You could secure the back end with a api key however this just brings you full circle to where we started. With an endpoint and an api key.

Answer 1

If your goal is to verify on server side that a request has been sent from the web page of your frontend, you can't. An API key is easily readable by anyone, and every HTTP header can be spoofed, so there is no reliable way to achieve that.

The best thing you could do is verify that a request comes from a real person, which can be achieved with a captcha.