hello all, in next js we declare api routes in app/api floder what if someone hits url like domain/api/users then , they will get all users data how to protect api url routes in backend, tell me some ideas to fix this so that api/* all urls all protected, youtube channels actually dont tell about these security vunerability, chat has api token so they check if request consist api token then they allow it, but how can i do this