I have read a lot about this on here and other articles. First let me explain my situation.

Let's say I have the following REST backend:

GET /user returns all users in JSON. (No need to be logged-in)
POST /user registers new user. (No need to be logged-in)
DELETE /user deletes a user. (You do need to be logged-in)

POST /login posts login credentials and returns a 200 OK on succesful authentication. Also this creates a session with the username.

DELETE /login logout, this deletes the session.

For user authentication and roles I use Deadbolt-2 so for example when DELETE /user is called first the session will be viewed to determine whether you are logged-in and then the username is used to determine if you have the correct permissions.

This works. My question is not about this kind of authorization/authentication. It is however about the following:

I want to secure the "public" API calls like: GET /user in a way so only front-end applications that are approved by me can access them.

I have read a lot about api-keys and HMAC and oAuth. But it seems to me they are talking about the first scenario and not the second. So how would I go about this in my situation ?

Thank you for your time.