This question may not be a good fit for SO, as there can be multiple equally-valid answers.

But one way to do this would be to use SSL, user authentication, and tokens. Here's a rundown:

1. Use SSL for the pages that use the API.
2. When a page is freshly-requested from your site, you return it with a token that allows user login and nothing else. That token is associated with the requesting IP address on your server and can only be used with requests from that IP address, and only for logging in.
3. When the user logs in, you give them a new token that's associated with their user account and IP address. All subsequent requests must be made using that token, and from that IP address.
4. Limit the API calls that can be made with that token to only those that that user account must be able to use. Default deny, in other words.
5. Time-out the tokens (on the server) after whatever interval of inactivity seems appropriate to you.
6. Rate-limit requests to a rate that is reasonable for an actual human being using your application.
7. Make extensive use of your logs to determine patterns of typical activity, so you can identify atypical activity and block it.
8. This may be obvious, but make sure the tokens are hard to predict (not a steadily-increasing number, for instance) and hard to spoof. Although the IP address/token link is held server-side, you still don't want to make life easy for potential hackers.

The user authentication part of that is important, because otherwise, while you'd be pretty safe from remote hacking (because of the SSL), a hacker who uses a browser to go to your site so he/she can get the token can then use curl or similar to his/her heart's content with that token. So if someone is mining your site, you at least want to have some clue who they might be (your user authentication) so you can get them to stop.