Unfortunately the "GET API" as you call it is integral to the functionality of NodeBB on the client-side. During the normal usage of NodeBB, it is constantly using the /api to load new pages, etc. It's not something that can be turned off, but it might be possible to restrict it to only accessible to users with a certain cookie. This doesn't currently exist, though.
You can open an issue on Github if you'd like this looked into further.
