PHP

How to secure api?

Given:
Client - a person who has a website where he wants to open my data calculation application.
API server - my Laravel server.

The user base is located at the client. Using my application - each user of his site can calculate the data. This data is stored in a database on the client's website.

The API server knows nothing about users. Any user entering the application on the client's site must transfer the login and, based on the login, there will be a request from the server API to the server to the client in order to get a set of user data so that it is all loaded into the application.

If you send this via GET in the src iframe line, then you can change the login through the developer tools and the data set will be loaded for another user.

How to avoid it. While the idea is to have an API key on the API server and on the client server, and encrypt and decrypt using this key login in the GET parameter.

And I’m also interested in the moment whether it is possible to replace the data in the curl request from the server API to the client server. Or can this data be trusted?

And is it possible, using something from the $_SERVER array, to prohibit access to the API if it is not produced from a specific domain, but let's say from the user's local server. Although I think that you can make a local domain, and then it will not protect. Only binding to client server IP?