You can go with an API key that has to be passed in the header and/or a Security Restrict if you only want them to be ran by logged in users or users with certain permissions.
You just need to implement the logic you are happy with in the Server Connect.
The approach is more a generic security question regarding APIs. You can google some articles about it and just apply them in Wappler. I believe Wappler can handle all the recommended strategies.
Tip: build the logic in a library action and add it at the beginning of the APIs you want to secure. It will be easier to maintain.