API Access & Privacy Rule Challenges

I’m trying to only provide an API endpoint access for an admin. This individual has a unique API key that I have provided them; however, when a normal user is logged in they can view the API endpoint in the same browser without the API key.

How can I prevent normal, visiting users, from seeing the API backend, but still view the data on the website front-end?