1👍
Hiding the API URL is security through obscurity and should be avoided.
To protect your API from being abused by public users, you can either develop your own protection mechanism, e.g: rolling out your custom API key provisioning, with rate limiter, and IP address filtering, etc…
Or you can use AWS API Gateway to proxy traffic to your back-end API. API Gateway alone might not be useful, but the services supporting it is really helpful without requiring you to write additional codes
- API Gateway supports API Key with Usage Plans, helping to rate limit your authenticated users.
- You can enable AWS WAF to protect your API from malicious scripts, or other attacks
- To make sure that your back-end servers only receive traffic from API Gateway, you can configure a client-certificate. This way, your server is protected even if your back-end’s API URL is publicly exposed.
Source:stackexchange.com