Hi @nkanderson and thanks for the question/suggestion! First off, let me talk about what’s available today for you to do this kind of validation:
- you can choose to put your function behind a proxy route from another site, and use the
signed
feature in our proxy redirects described here: https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/ and demonstrated here: Signed proxy redirects . This means only your app will call your functions, and your function can abort if someone calls it elsewise. This won’t prevent someone from hitting site.com/api (and triggering the function on othersite) repeatedly, but it will at least prove that traffic came via your site.
2.you can put in limitations via your function - it knows about IP addresses (sent to you as X-Nf-Client-Connection-Ip
). You can save IP’s to an external store and start aborting execution if you see an abuser, before they access your backend (via the function). This will protect your origin.
Neither of those helps you control usage via the provided URL; your function would run as many times as called. But they do ensure: 1) called via netlify and 2) won’t destroy your backend (e.g. stuff your fauna full of junk).
You can obscure a secret (e.g. API token) via a function, here’s an example: https://github.com/depadiernos/token-hider-inator ; not sure if that helps your use case or not.
When we launch Edge Handlers this will allow you to craft any protection you want. But that is still a bit of distance away from GA.
It is the case that we don’t have the block ability you want today; there is an open feature request which I’ve linked this to so I can let you know in case that situation changes, but I think it likely that Edge handlers will come out instead, since the team writing edge handlers would be the team who paused that implementation to implement a block, so they’ll probably focus on the release instead since that opens a lot of possibilities up, many more than just this one.
I don’t think we have any plans to enable a separate API gateway from what we already have; our advice would be to use native functions rather than ours if you have extended needs. Our implementation is really about integrating with our websites in the usual way. To date we’ve had exactly 2 functions “abusers”, one of whom abused their own site to prove it could be done. So - it’s not something that happens very often 
Hope that information helps you make a good decision as to whether our service is appropriate for your business or not!