How do I hide a REST API Url from the end user?
It's not possible to hide the URL From the end user in JavaScript. They can simply open up the Network panel in Chrome, or just turn on Fiddler to see it.
In your particular case, the only real way you can hide the URL from the user is to proxy the REST call to your API from your server-side code.
If you must use JavaScript, you can always create and use APIKeys and simply monitor their usage and terminate API Keys that are taking up too much bandwidth; but again -- this isn't going to stop someone from being able to use your API, it'll just let you know when you receive an unexpected amount of traffic from unexpected places.
You could take it further by cycling API keys every day, so if someone wants to use your API; they have to change their code every day -- but again, this won't stop someone, just slow them down.
The only fullproof way is the way I mentioned in my first paragraph -- but that can't be done from client-side JavaScript alone.
Update in the age of Single Page Applications
What I wrote holds true, even for Single Page Applications (SPA); though you can hide the URL in the address bar by having different routing for your client-side application than your server-rendered pages.
The user can still inspect the traffic in their browser's console to check where the requests are going (there's no getting around that), but you can at least display different paths in the address bar.
By hiding I'm assuming you mean not having any association to the URL shown in your Javascript. Unfortunately it's not possible to hide the URL as far as I know, even if you managed to hide it in javascript, the request would be visible in any extension capable of picking up outgoing and incoming http requests on a web page.
Not really. The page needs to have access to the URL in order to use it, and this gets you into the age-old problem of showing somebody something while hiding it from them at the same time. Modern browsers with built-in debugging tools compound the problem: even if you encrypt the URL, there comes a point where you will have to decrypt it in order to use it, and debuggers can jump in at that point.
Is there a particular reason that you're concerned about others using the API? There isn't really a way to prevent others from finding the URL, but there may be other ways to achieve your goal.
It is not possible to hide the url from anyone with the motivation and determination to find it. It is not advisable to depend on security by obscurity and everything exposed via REST should be considered a potential vulnerability and all necessary security checks made on the server side. Treat all REST APIs just as you would a public web page.