Let's assume that I have a website with a map showing sensors in different locations.
My website provides API for developers with limitations - 1000 requests/day are for free and if you want more you have to pay $0.0008/request. Verification is done using a credit card.
However, this map that I have uses the same API for querying data. How can I make the API capable of distinguishing these two things? I want users to be able to see sensors data on my map on my website but I don't want other developers to steal this data without using the proper API.
It's good to see that you realize that every API on the Internet is a public API, and therefore can be abused, given sufficient time to discover its weaknesses.
I suppose a solution could include some of the following ideas. Sadly, each of the following ideas has a weakness, but a combination of them could adequately cover your requirements. You may never be able to absolutely guarantee the solution, but you could get very close.
Idea: Track behavior. Is it easy to recognize the "normal" behavior of a map calling the API? For example, does it invoke the API only once per minute, or many times per second? If the normal, map-caused frequency is low, then you could consider higher frequencies to be from developers, rather than map users.
Idea: Track users. Are users of your website's map required to login? If so, you could track each user's API calls, and look for numbers that are too high for normal map usage.
Idea: Track each map display. Each display of a map in a browser window is assigned a unique ID, which is included by the web server in the generated HTML/JavaScript of the web page. The ID is then sent back with each API request from that displayed map. In the API server, if the ID is not in the list of those for currently-displayed maps, then the API request is rejected. This concept is similar to a "nonce", so I'll call it a map-nonce. A developer who directly calls the API would not have a valid map-nonce, so they cannot masquerade as a map. And, even if they have a valid map-nonce from another browser or user, it would not be valid for their particular session. If you implement this, you would have to track the map-nonce's that are active. After a while, a map-nonce should expire. When the user logs out, the map-nonce's for that session are expired. If a map makes an API request, and the request is rejected due to its map-nonce, then the map should re-display, which will cause it to get a new map-nonce from the server.
Idea: Obfuscate. Put the map and the API on different domains. Make the map's API different from the developer's API (perhaps JSON versus querystring). Don't (publicly) document the map's API. Only include essential data for the map in the map's API. Change the map's API at intervals, to trip-up any abusing developers. As map users have a brain that filters nonsense visual data, you could include bogus data in your map API -- If carefully done, the map users won't mind.
So, by identifying users and map displays, and then considering their API behavior, you should be able to reasonably determine if someone is abusing your API. Of course, you can bet that someone is going to find a way to hack this, so you should keep statistics, and remember to engage your cerebrum and eyeballs at regular intervals.