I have a REST JSON API (built in .NET) that needs to be consumed by the following clients (over HTTPS):

1. SPA website (AJAX)
2. Mobile applications

Everything (API, SPA website, mobile apps) is in-house.

Usually for an API, i'd go with Basic authentication, but obviously once you open up your API to AJAX, security gets tricky.

A note on "securing" the API - I mainly want to stop scrapers hacking/hammering the API, and the data isn't exactly ultra-private.

Here's the solutions i have in mind:

1. Do nothing. Leave it open, but use throttling/rate-limiting to stop my API being scraped.
2. Create a middleman server that the AJAX calls need to go through. Obviously this means there's extra latency, doubling up on code-etc.
3. Use HMAC authentication with nonces and an agreed message format between client/server, and only allowing CORS from a set of allowed domains. (yes i know Origin header can be spoofed).

I'm leaning towards option 3. Since we are over HTTPS the request can't be sniffed, however obviously i can simply go to the SPA app, pop open Fiddler and see the HMAC message, but the nonces will stop the replay attacks. Obviously if someone was that way inclined, they could download the minified JS for the SPA app, find where the AJAX calls happen and somehow figure out the HMAC format. This is the only downside i can see.

Can i please have some advice on this?

Thanks