When building a webapp, I'd like form data / interaction to be all driven by AJAX APIs. However, a lot of these APIs would be retrieving data objects (JSON) and I'd really only like my web app to use them. Is there any way to architect the API in such a way that only my website can call it? It feels like it would be a losing battle.
For instance, I could check if the domain making the request is mine, but a host header can be spoofed. jsonp doesn't solve it for me since someone could just write a service in Java or something to make requests outside of a browser sandbox
I'm thinking there might be something with security tokens and generating one, but I feel like any real measure I take can be spoofed by a clever scraper.