Identify and authenticate the Host client. Simple requests to the API that do not allow for modification. Strict validation of requests and so forth.
I’ll assume you’ll be using Steam or EOS. Both of these will provide a way to identify each user. The userID can be used as a part of a key when making requests to the back end.
The Web server will stand in as a guard/validator. Host will request validation, web server response will be a token for future requests (limited life span).
e.g. See OAUTH for an example, potential solution
Once validated and token received/stored the client can then do formal DB requests. Said requests will be filtered and validated by the web server. The web server will use the API to Get the requested data, then format the response.
This hides the API from the public (no direct access).
Requests to the web server without a token or ill formed tokens can be dropped outright.
web server will validate the token, then validate the request/params, then perform try/catch. format the response, and send.