Maybe it’s worth to wait for Brian’s tutorial as it will be a step-by-step.
Way better than me pasting a bunch of Stackoverflow links where you won’t be well received if you have questions because SO is one hell of a shit show 
In any case the first line of defence should be rate limiting as it’s the only effective thing you can do to stop API abuse. Unfortunately you are using PHP and I am not versed on php packages for rate limiting.