How can I make App Engine HTTP URL handlers callable internally only?

I have a set of different modules with HTTP URL handlers. Some module handlers are designed only for internal access and I use urlfetch to call them from other modules. How can I ensure that these handlers are not callable from the wider internet?

Task queues get around this by allowing you to add login: admin to their URL app.yaml. This allows you to be sure that a task queue can only be invoked via an internal task queue function call. Is there something similar I can do with my handlers? I don't want to have to share a secret between the API and its consumer.

GAE has built-in admin auth:

developers.google.com/appengine/docs/python/users/adminusers

In your URL handler read the X-Appengine-Inbound-Appid header value. It will be populated with the name of your App Engine app that called the handler via its url fetch method. Make sure the url fetch method that makes the call does not follow redirects.

Click here for documentation associated with this.

Here's my Go handler that achieves what I was looking for:

func internalOnlyHandler(h http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        c := appengine.NewContext(r)
        appID := appengine.AppID(c)
        headerAppID := r.Header.Get("X-Appengine-Inbound-Appid")
        if appID == headerAppID {
            h.ServeHTTP(w, r)
        } else {
            http.Error(w, "403 forbidden", http.StatusForbidden)
        }
    })
}