you can't. Server actions are still public accessable endpoints like a route handler. So you need to secure it inside your server actions. Ask for tokens or other login credentials, so the user (or your app) can use it

but i can get the origin of the request within the server action though right?

also, is it possible to "obfuscate" server action endpoints, e.g. domain.com/_next/[hash]

that may be right, but they are still not secure

ofc, i just want to do my best to prevent people from being able to spam the requests

because a lot of the endpoints are publicly accessible without auth

meaning anyone with the link for that server action can spam it

That's correct. People can access the endpoint and can request (spam) them. However when you check something inside that server action, you can directly answer the request with whatever you like. For example status 429

whats the benefit of using a server action over a regular api request? ease of use and the fact they're a regular callable function?

Most people they say what you saying, yea. You also don’t need to think of how to structure the route and also don’t need to think about what method to use and to integrate (GET, POST, …)