RewriteEngine On

# Step 1: Check if the request is specifically for api.php
RewriteCond %{REQUEST_URI} ^/api\.php$ [NC]

# Step 2: Check if the Referer is NOT your domain
# (Replace 'yourdomain.com' with your actual website domain)
# The condition checks if referer does NOT start with http://yourdomain...
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]

# Step 3: If both above are true (request is for api.php AND referer is wrong/empty)
# Then block access (Return 403 Forbidden)
RewriteRule ^ - [F,L]