It does not matter if you expose some parameters to the client side, if you are using an API token/secure key to authenitcate the calls and this never reaches the client (I guarantee you that it doesnt, thats the whole point) then people will not be able to replicate the call.
Go on your settings > API > Public API Endpoints > Generate new API Token.
Generate an API token, and use it to authenticate the calls.
New trick is to use the APP connector instead of the API connector to make stuff quicker. The trick was laying in plain sight.
If the problem isnt secure API authentication, but rather that you dont want to expose the dynamic parameters to the client side, then thats another problem.