How to make secure backend API calls with Expo Authentication

Hi All!

Perhaps a stupid question but…

I’ve built an app that uses Expo Auth to authenticate the user with Google. That’s all fine and I can now use data from the logged in user to create calls to my backend API. But the API (built with Nextjs API routes) is completely open. What would be the best way to make all my API calls secure so only logged in users can do requests?