You simply don’t give the user access to that API. For example, we have several web apps which uses access tokens and bill the user for certain actions. The billing system is centralised, and there’s an app used by our customer services to add credits to the bills.

But there’s no reason why the access token the end user gets to perform the actions on the app they are using should give access to the billing system, as that would mean they could add credits whenever they liked. The user’s id is checked against a database of actions they can perform, and trying to add credits isn’t one that’s allowed. It seems you’re in a similar situation, but haven’t separated administrator actions from the end user’s actions.

e.g. if you checkout in a online shop, then the action exposed is to checkout. There aren’t separate ‘send these items to me’ and ‘charge my paypal’ in the api, though both happen on the server; the user can’t do one without the other. The actions are located in the user’s frame of reference.

Don’t rely on your app to be the gatekeeper and increase points. Implement whatever action the user does to increase the points on the server instead, and it doesn’t have to expose the sensitive action in the API. If you have some reason to expose the action for admin use then check that the user the token belongs to is an admin.

You need to store the API token in your sever and need to validate it in database for each API call ,
So when u need to revoke access , remove the API token from the database , so it will invalid during next call