Securing APIs for plugins


I will be trying to get my first project approved for CodeCanyon over the next few weeks, the type of plugin that it is means that it will be making a lot of API calls for information generated by remote servers.

My questions are as follows:

  1. Is there a standard practice for Wordpress Envato plugins to authenticate the user making the API calls?
  2. Do I lock it down to the users domain name?
  3. Do I do a standard second registration on the settings page within the plugin?
  4. Do I have to leave the API open to the world?

The reasons I ask is that the data is quite valuable and if it is open to the world and it will more than likely be abused.

Any help on this would be greatly appreciated.