The point is that your APIs are public and available because that is going to be the only way that…
Romin Irani

Thank you Romin.

In my case, the API is private, meant to be consumed only by my Apps.

  1. I am interested in this restriction only for requests made through ‘Web/WebApplication’. I don’t want the restriction when request is coming from Mobile App. How can I distinguish identify the client information so I can implement this only for Web clients? Below code doesn’t distinguish.
if not endpoints.get_current_user().email() in WEB_EXECUTION_AUTHORIZED_LIST:
raise endpoints.UnauthorizedException('Authorization required')

For MobileApp the access control is already facilitated by AppEngine where for Android and SHA-1 key would be needed. Although for iOS it doesn’t seem that secure.

2. I can imagine a lot of use cases where the API is meant to be private. It would have been easy if Google provided at least supported restricting the API execution through the explorer. The explorer already has a way for user to give Client Id and/or API Key.

Thanks again.