How to identify my own plugin via API calls?

Hi,
is there a way to identify my own plugin when making calls to my own server? (e.g. to prevent potential abuse).
I see that the requests that I make from the plugin iFrame have 'Access-Control-Allow-Origin: "*" as header, which means that I need to disable CORS check on my server. Furthermore, if possible I’d like to prevent somebody else’s plugin calling my own APIs. What are some strategies I can adopt here? (I guess making the user authenticate is one option, but seems quite an overkill).

Additionally:
Is the code running in the sandbox visible to a user inspecting the plugin?

Thanks in advance!

Hope this is what you need: