I'd like to know some best practices on how to build rest API for a backend which shall communicate with a mobile app by anonymous users.
This is the scenario with details:
I'm building a demo library app that shows details about books, those details are returned in a JSON format when the app fetches the URL
www.mylibrary.com/<bookid>/details
Anyone having the App installed should be able to fetch any book details without registering in the app.
The response is generated from an API Gateway and a lambda function in AWS, which reads from DynamoDB.
Is there any way to, let's say, avoid that a user cURLs or browses the endpoint www.mylibrary.com/<bookid>/details and gets the JSON response?
How, for example, an app like Amazon or Reddit handles the fetching of its product catalogue/posts from the app?
If anonymous users can fetch JSON from Amazon's endpoint, let's say amazon.com/catalog?country=us and display it on a mobile screen, does it mean that I can browse to that URL and get the same JSON response?
Is there any other clever "protection/approach" to avoid exposing the JSON to any device?