WordPress: to detect if a rest api call is internal (from the dashboard) or external, is it safe to use an empty get_http_origin()?

Use case

I am using the filter add_filter('determine_current_user', function, 10); to detect if the current call is a rest api call or not, to provide authentication

  • I want this for external rest API calls

  • But I see that it also catches internal rest API calls for example when I'm editing a post in the dashboard

How can I discriminate those calls that come from the own WordPress?

One possibility would be to see if get_http_origin() is empty (meaning this is from the WP server itself), but not sure if this a secure way to do this