It is perfectly normal to have your API's URL in the front end code, it would not work otherwise.

However you should aways make sure that your api is only accesable by authorised users, you can do this by setting up a form of authentication, here is just one aricle i found that explains it, you can easily find other methods if you google api authentication.

The best answer is very dependant on your web app and backend but i would not go live unless you have something like that in place! Something else to consider is make sure your api's won't be exploited. If you use some sort of SQL watch out for SQL injections , etc. Make sure your API return doesn't contain data that the code does not need because that might expose infrastructure that might be exploited!