I was working through WP-API and all is great.
One issue I had with WP-API is that the endpoints ( such as /wp-json/wp/v2/posts , /wp-json/wp/v2/pages etc ) are also accessible even using GET requests.
Although authentication is required for POST requests ( you can choose to use Basic Auth, Oauth1 or Oauth2 via https://wp-oauth.com/ ), some of us may want it to be slightly more secure. For example requiring access tokens even for GET requests.
Hence I quickly coded a simple wordpress plugin called Secure WP-API
What this wordpress plugin does is that it checks for access_token in the url, and only allows the request to continue if the token is valid.
Have a look at the plugin at https://github.com/EugeneLiang/wp-api-secure
PS: this plugin requires https://wp-oauth.com/ in order for it to work.