I wouldn't do that. It's bad design. Anyone interested can look into the workings of your API anyways by using the Chrome network monitor for instance. The behavior desired by you does in no way secure or hide the API nor does it prevent anyone wanting access.