How to prevent accessing a web api from a web address

Question

Sorry if the question is asked before. I searched but i can't find a way to solve my problem.

I have a web api (i don't use owin or something like that). The api creates task from data with sent by application and returns the taskId and pageId to application to pass it as get/post parameter to website. After that, The application that integrate the web api, redirect to one of my web application's page to complete the task created by my web api. I have some security flows such as appid-password to control accessed application. But this has some security problem.

If a customer share the appid and password with another person, then appid password info could use by a disallowed application.

Here is what i tried to solve the problem, I tried to get HttpContext.Current.Request.Headers["Origin"] info but the application that entegrate my web api must send the header and it could not solve the problem. Because same "Origin" header can be sent by bunch of applications. I try to use the HttpContext.Current.Request.Headers["REMOTE_ADDR"] or HttpContext.Current.Request.Headers["REMOTE_HOST"] and both of returns the IP address of customer's application's IP Address. And these are could'not solve my problem too. Because in one server there may be thousands of applications. I tried to solve the Dns from an IP address but i could not achieve this because the entegrated application may not registered or it can't be accessible by outside network.

What is the best way to solve this problem? Thanks for helps.