I have read a lot about this on here and other articles. First let me explain my situation.

Let's say I have the following REST backend:

GET /user returns all users in JSON. (No need to be logged-in)
POST /user registers new user. (No need to be logged-in)
DELETE /user deletes a user. (You do need to be logged-in)

POST /login posts login credentials and returns a 200 OK on succesful authentication. Also this creates a session with the username.

DELETE /login logout, this deletes the session.

For user authentication and roles I use Deadbolt-2 so for example when DELETE /user is called first the session will be viewed to determine whether you are logged-in and then the username is used to determine if you have the correct permissions.

This works. My question is not about this kind of authorization/authentication. It is however about the following:

I want to secure the "public" API calls like: GET /user in a way so only front-end applications that are approved by me can access them.

I have read a lot about api-keys and HMAC and oAuth. But it seems to me they are talking about the first scenario and not the second. So how would I go about this in my situation ?

Thank you for your time.

You might find this Securing Single Page Apps and REST Services article by James Ward useful, it's built using Play Framework, Java, jQuery, and CoffeeScript.

The reference source is here: https://github.com/jamesward/play-rest-security/