Need help verifying the origin of a request with C# and JavaScript

First, let me start with, I understand JavaScript can be tampered with so I'm not looking for a fool-proof solution. I have a public API that takes requests from external web applications. Sometimes the web applications are directly hitting our API and other times they jump through another API offered by some of our Partners.

In a partner scenario, we want to ensure the API requests are ultimately coming from specific URLs. My idea is this:

We're allowed to offer a script that the webapps can add to their sites so I was thinking we can set up an API Endpoint whose job is to capture the request, verify the origin (URL), and spit out a token that they must ultimately send later with the real API request through the partner API.

Is there a better approach or am I just really limited to the origin header to find out the website? I was hoping there were additional data points I can leverage on the client side to verify the traffic is coming from a specific URL

You say your API is public but what you're looking for is authentication so you can verify the source of requests. I'd suggest some sort of API key authentication is in order in your situation.

If you're concerned with partners tampering with request, you'll want to implement a client signature for each request. This is typically done by issuing each client an api key and secret key. The secret key is used to generate a signature sent with each requests. Your server verifies the signature before responding. The api key and secret key should be issued directly to the client and not through partners to avoid man in the middle attacks.

Depending on your platform there are plenty of middleware and libraries to help implement this sort of authentication scheme.