If you need to do POSTS using the API, the handler webapp needs to be set to 'anyone, even anonymous' for now until this issue is resolved or I figure out a workaround. You can protect from writing by using the method described in setting up GAS API for handler. This describes how you can create multiple handlers which allow different kinds of operations. Specifically then, you could set permissions on a readonly handler how you want, limit the operations it could perform, and distribute it to anyone who needed readonly access, whilst also protecting it with Google Sharing permissions. Another handler, whose url you would not distribute widely, would allow writing, but would need its permissions to be 'anyone, even anonymous'. This is not ideal, but is ok to get started I guess.
As described in A VBA API for scriptDB, parse.com - nosql database for VBA and parse.com - noSQL database for GAS there are additional keys that can be passed as headers that can be used for further protection in the request headers, but in another quirk of GAS fate, UrlFetch() cannot access any headers passed to it. I hope this will be resolved in the future too.
From now on this particular entry can be accessed using