Need help with protecting public endpoints WITHOUT user authenticating

Hi all! I’ve already setup my backend (Express + GraphQL) and frontend (NextJS) with Auth0, users are able to authenticate using Auth0, and call APIs (protected with Auth0) with the credentials, so I have no issue with this part.

But I need help with “protecting” APIs that are public. I want to have some APIs that my NextJS app will call WITHOUT the user logging in, but at the same time, these APIs should be protected in the sense that it should only be called by my NextJS app.

I have done some research on the official docs, and this is the closest thing I could find: Call Your API Using the Client Credentials Flow

But the article mentions M2M applications, so i guess the best way to go about it is creating a “proxy” API to get/generate client access tokens for my Next app to use? Is this most ideal? But wouldn’t anyone also be able to access this “proxy” API to generate a client token as well?

Any help is appreciated!