Do you have your API server in a DMZ (if you are hosting that in house?
Gloria
Our API server is internal. We have firewall rules that allow our Web server (in the DMZ) to reach it. The API server does not need to be publicly accessible (at least not with out setup). As far as I understand it only the web server needs to have access to the API server. So if your webserver was hosted out of house on a fixed IP you would need to have firewall rules allowing access back to the API server from that IP only.
-Rich