How best to secure api from requests that aren't routed through Kong

Hi, my organisation is planning to use Kong to secure an API. We are considering approached for securing the API in situations where the requests are sent to the API without going through Kong (e.g. if the API is accessed by IP).

Is there some way to tell if a request has come via Kong, that can be used by the web server to allow traffic through?

I understand I can check the IP address, but maybe there’s some way to get a signed token, in case I don’t know the IP?

I use the “Request Transformation” Plugin to add a header to the upstream request. I am using a rudimentary method of a UUID per API so each one is different however there are other plugins such as the jwt-upstream that someone has written to handle it in a more cryptographic way.

@ioneyed, I wish to understand what did you mean u adding UUID to upstream header-what upstream API endpoint would do in this case to ensure request is coming via KONG only?