Hi!

A few things you can consider when it comes to security for a (Plumber, or any other) API:

* Input validation (to prevent SQL injection or XSS attacks).

* Add a rate limit so you reduce the chance of a machine hitting your endpoints too often.

* Logging (as far that is allowed! E.g. GDPR) to keep an eye on what's happening.

* Hire a 3rd party to do a pentest.

These ar just a few things, this list can be much longer. But hopefully it already gives you a direction!