// check that the key has been provided in the request body,
// could also be a header

function checkAPIKey(req, res, next) {
  // you would have the key in an env variable or load it from
  // your database or something.
  if (req.body.apiKey === SECRET_API_KEY) return next();
  return res.status(403).json({ 'error': 'no access' });
}

// then bind that middleware in your routes before any paths
// that should be protected

app.all('/api*', checkAPIKey);

// the rest of your api endpoints go below here, e.g.
app.get('/api/stuff', getStuff);