Not Login User, But Want to Communicate With Token. Is that Possible?

I am building a pharmacy website as a practice for Next + Strapi. In that website, when a customer send an order, I send POST request to Strapi to subtract the amount of each medicine that customer purchased from Strapi CMS, so that the website will reflect the latest information of the availability of medicines without doing it manually.

But the issue at the moment is that anyone who knows the API endpoint can update those information. So, is there a way to communicate only between my website and Strapi?