How to protect url endpoint?

[Jason]

I understand that I shouldn’t hard code the api key in to app. So I used aws api gateway to generate a url endpoint. But isn’t it the same that someone could just the endpoint as the api key? They can use the url to make api calls just like using the api key. How to protect the url endpoint?