All you need to do is add a Security Provider and Security Restrict steps above your Server Connect queries. Can specify login and forbidden redirection within the Security Restrict dialogue. That will protect your API calls and only allow logged in Users to execute them.