CORS has nothing to do with API. Because it is a browser technology and is used for scripting within browsers.
1. For everyone - a list of parameters without a key.
2. For yourself - a list of parameters with a certain DYNAMIC key (signature token) and a formula for its generation, which is known only to you.
1. On the server, we store the formula for generating a request signature based on the input parameters of the API request and the timestamp.
2. When accessing the functions of the "closed" API (for personal purposes), you form a request signature, SYNCHRONIZING the time with the server time beforehand, and then, according to the formula, send it to the server.
3. The server, knowing the formula, does the same and checks the values ​​of the sent and received (according to the same formula on the server side) signature: if they do not match OR it is overdue OR it is a duplicate, the server rejects the API request, otherwise the request is executed.
4. The server caches the request for the duration of the timing error to prevent the identical request from being reused via MiTM interception.

JSON_Web_Token

You need to look towards OAuth authorization (not to be confused with authentication).
CORS is unlikely to help you. Since it gives privileges for domains, not for users.

To do this, use middleware and JWT

Depends on how closed the API is.
If it is designed for use within your infrastructure, then use certificates for signing, and if available from a browser or, say, an application, then this API ceases to be closed, but simply becomes undocumented.