If I understood it correctly, the following feature seems to be able to prevent a person from calling the API other than using the app. How does that work, and how secure is it?