You can secure your REST API by closing down a list of endpoints to only accept API tokens as authentication method.
You can Restrict API Authentication, which enforces REST API authentication on all incoming requests to the REST API. The Complete Lockdown will block all requests not containing valid API tokens, and will break existing functionality if it’s not applied with care. The intention of the complete lockdown is for the case when you have a specific resource that is very sensitive.
When your chosen REST endpoint paths are specified in your configuration, the only way to authenticate with these endpoints is using API tokens.