I'm having a lot of trouble understanding how this works. I'm developing a few side projects where I'm wanting a Node.js based API sitting on api.domain.com hosted on a VPS. I then have the Backbone.js based client sitting on separate static hosting at www.domain.com and on my local machine with www.domain.dev. This works nicely as I can separate my mindset nicely between the frontend and backend and I can also update either one without affecting the other.
But the API server is affectively "open" to the world. My client is pulling JSON from it and even making a few POSTs. An example of the POST would be that some customers have purchased a few digital files, they've filled in the Stripe checkout form, I get back the credit card token, make a new order, send an email. Just one example, but there is a POST going on there which if others find out how, could post and make lots of new orders. There is no log in for the customers, it's not required in this case as orders are fulfilled by the simple completion of the payment, the email they receive and the order's unique URL. But don't take this as something to question, just an example of "open" POSTs that may occur.
I want to secure the API server so it only accepts requests from my client only. I've read other Stack Overflow questions such as this one and have done lots of reading into OAuth2 etc. But I either simply don't understand what it means, or how it actually works and wonder if it's still overkill. Though my projects are small, I want to ensure they have a strong infrastructure and are built to a good level of quality and security. I'd love to understand how other people would approach this problem...
How do I secure my Backbone.js client to my Node.js based API, that doesn't have a secured area (logged in users etc), so it's not open to attack?