JSON Web Token

How to make host identification for API?

In principle, we have a working marketplace with an API whose clients are backends in "backend" languages ​​- python, PHP, etc., including in the form of libraries for frameworks. The API key is registered on the backend, each Whitelabel has access only to information created by itself. When authorizing a client, a second key is created, an individual, part of the API requests require both keys in the request header (X-Api-Key and regular Auth-Basic, for example, working with a client profile). For the end user, the site behaves like a completely classic one, but with an API instead of a database.

Now new times and our team is required to make "clients" for this API in JS under REACT, angular and so on. The right idea immediately arises by identifying the client and issuing him a JWT token. Everything is good here. But what about the identity of the host itself? Each host / site / domain, as you want to understand, has its own settings, including a set of prices, products, site appearance, and so on. Yes, and I still want to separate them, I don’t want to give the client from one host the opportunity to log in to another, for example. So, the host needs to be identified somehow. The most obvious one is by Origin in the request, I don't like it, because it's easy to fake it. Another option is to issue some kind of identifier key for each site, so that all requests from it would be accompanied by it. But then it will have to be stored in a cookie or browser local storage (unlike a site with a backend, where it was not visible to anyone). That is, it will be visible to users. Including cunning. How to implement an API that works correctly for different domains with an unlogged user?