Hello, welcome to the forums.
1) You can choose which URLs you want to restrict in your Java application using
security constraints. That way only someone logged in as a developer or your application itself can access that endpoint.
2) There are many ways to implement having a staging and production environment. You could
use a separate service as your staging environment. Several App Engine services such as Datastore will also let you use
namespaces to keep the data of your environment separates. Finally you could simply create a different cloud project and use that as your staging environment.
I hope this helps. Let me know if I can clarify anything for you.