There are a few good ways to authenticate clients.
- By IP address. In Apache, use the Allow / Deny directives.
- By HTTP auth: basic or digest. This is nice and standardized, and uses usernames/passwords to authenticate.
- By cookie. You’ll have to come up with the cookie.
- By a custom HTTP header that you invent.
Edit:
I didn’t catch at first that your web service is being called by client-side code. It is literally NOT POSSIBLE to prevent people from calling your web service directly, if you let client-side Javascript do it. Someone could just read the source code.