To answer your other questions, what you're describing doesn't sound like it's violating any best practices. Separating your back-end logic and exposing it as an API (a la
microservices) is fairly par for the course.
Datastore supports multi-tenancy in the form of
namespaces. HTTPS can be enforced on your API handlers using 'secure: always' in your app's
configuration file (app.yaml). Whitelisting can be achieved using Cloud Endpoints's
OAuth2 authorization (generally done using a web client ID for Javascript clients or an Android or iOS client ID for mobile clients).