Configure IAM or App authentication for APIs to prevent malicious calling.
Configure a whitelist or blacklist of IP addresses/IP address ranges or accounts for APIs to secure access.
By default, an API can be called up to 200 times per second. If your backend service does not support this access rate, decrease the quota accordingly.