"I would think that the referent would be metromapper.org, as this domain calls yourmapper.com script after it loads."
This is not true. First, you should never rely on HTTP_REFERER, because it is a voluntary parameter passed by most (not all) browsers, and it can be easily faked. I can send your requests to the website using CURL, which will make it look like the referrer was whitehouse.gov, if I want. There are no security measures.
It is said. The browser sets this parameter to a page that links to the user of the loaded page. Not a script. So the reason you see the result you see is because the user was sent to metromapper.org via the link to stackoverflow.com
Finally, let me move on to the juicy part. You use JS to encode things in a browser. This is great, and this is absolutely not a problem. But you must remember that JS is open source. Therefore, people can (and will) bother with your code in order to play with your API just because they can. What, as they say. It is probably best to pass the URL of the site along with the request in your JS-api. This is the best way to “track” which sites use your script. You can check the server side to make sure the URL has been passed. This will prevent people from changing your API to remove the bit that sends the URL to your server. However, this does not prevent them from modifying it to use a different URL or a random unregistered one as a parameter.
Of course, you can create a PHP API that they run on their server. The JS API connects to the PHP API, and the PHP API is encoded with zend protection (or some other source code protection code system), but then there will still be people who decrypt the file to return to your source and chat with you. Of course, there would be far fewer people who could do this, and the average user would simply use your API as it is. Then you also have a problem when people cannot run your API on servers that do not have the ability to run encoded PHP files.
In the end, you must determine your level of security and authentication, but since your API works in JavaScript in the client’s browser, access to it is much less than obfuscation.
I would say that your best option is simply to have your JS code hook the URL of the current page and send it with an API request. From there, your server can process the URL to get the root domain and any other information that you want to keep.
If you want people to not "swap" requests for other URLs for user websites, you could implement the PHP API, which is installed on the user server in a specific place. For example http://www.domain.com/my-app-name.php
All JS API calls must go through the script. When a user loads your API, they must enter their website URL and other information. Your system generates a “key” and enters it into the script before packaging it to load them. This key is valid for your domain and is used to encode the entire transfer to / from your API using say blowfish or another two-way encryption algorithm. Thus, when your API receives a request from its PHP API file, you get the URL of the page on which the request was made, encoded with a key that only you and the administrator of this site have. So the request comes through something like this: metromapper.org/api?site=[url_encoded_page_address†&req=►encrypted_request]
The server uses the page URL to determine which key should be used to decrypt the data. Then it decrypts the data. If the data is corrupted or not decrypted as expected, then this is an invalid request, and you should simply exit it.
The reason why I propose using a PHP file for encryption, as opposed to writing encryption in JS, is because you do not want to burden the client (each visitor to the site) with the encryption / decryption load, and PHP will process this much faster than JS since there are libraries created to handle these tasks for you.
In any case, you should be on the right track to track and verify requests to different sites against your API.