Web API is actually accessible through HTTP protocol, it doesn't say whether it is accessed by a web browser or an application. Web API would always respond to requests coming on HTTP, web browsers do send the requests through HTTP, that is why Web API is always accessible from a web browser whereas in case of an application you have to use libraries.
Now, the concept of securing them (
as already stated in the comment to your question) depends entirely on how you want to secure the application. There may be many ways to do this (to accept a few requests and not accept the others), but simplest would be to add a QueryString to the URL to trigger the Web API, otherwise, send a 503 (Service Unavailable;
to the web browser). For example you may consider accepting the URLs like,
http://www.yourwebsite.com/api/controller?from_app=true
But that still doesn't secure your website, because anyone can write that in the URL that is why you should consider creating and using a token for your users or applications. A token like
GUID
[
^] that cannot be guessed by an ordinary user but your application knows it.