How to Prevent Third Party Websites from Calling Back-end Interfaces of Websites

  node.js, question

For websites with completely separated front and back ends, the back end uses PHP/Java/Python to output json format data to the front end, while the front end uses ajax to call the interface to the back end to obtain data. In this case, if the back-end interface does not take certain protection measures, it is easy to be maliciously called by others to do some Impossible. So, what are the main approaches to protect the back-end interface under this website architecture with the front and back ends completely separated?

1) issue verification Keys to users of your API, encode the requested data content according to the rules defined by both parties and combine the keys, decode and verify whether the back end meets the expectation after receiving the request, and set the access frequency of each key ~ ~
The content does not meet the expectation and directly rejects the response.
Access is too frequent, then this user is not allowed to access ~ ~ ~

2) SSH private key/public key can also be issued to ensure ~ ~ ~