The standard way of securing APIs on the Internet is through the use of keys and secrets, and a serverless API is no different. You should secure every function you create with at least function-level authorization, unless there is a compelling argument for it being public. You should definitely secure your data-input APIs and any output APIs with sensitive information on them. Public-facing APIs are an interesting case for serverless, because you are charged per request. This means that a malicious actor could DDoS your public function and hit you where it hurts the wallet. Friendly users with valid keys could inadvertently do this as well if they don't rate-limit their requests. A good solution to this, and a generally good solution for API's in general, is to use an API proxy. Microsoft has one called the Azure API Gateway, or there are other services like Apigee or MuleSoft.