how can I avoid abusive use of my REST API? For example, I have a website where certain actions earn a bunch of points which are stored within a user account. So technically, when ever this action is performed, I call my REST endpoint to add the points to the user account. The action itself only happens within the website, therefore there is no way to check if the action has really happend from within the backend.
EDIT: Here is an example to narrow down the question: E.g. we have an waiting queue where you can decrease your waiting period by tweeting about the page. The Twitter SDK has an callback method which fires when the user send the tweet. When this happens, the backend is called, e.g. api.somedomain.net/user/xyz123?hasTweeted=1 or similar.
So my question is, how to protect the last step (call to api.somedomain.net), as somebody could lookup this REST url and trigger the call manually, without creating the tweet.