Enhance the security of ASP.NET Core Web API unauthorized get endpoint

I have the scenario where there is one web (Admin Panel) and another is front site on another domain. Now I want to provide the facility of "Impersonate" where supper admin can gain the access of his company's user's access and access whole site (front website). Now the endpoint is unauthorized GET endpoint, how can I enhance the API call security.

Approaches I have tried:

1. Have one common Key which I passed from admin panel to Front Site, so front site will call the API with same Key, but suppose somehow key is stolen then anyone can get access of the site with that user.

Anyone have strong mechanism for this?

I suggest you could try to generate the common key and it will expire for a specific timespan.

Also you could consider make your Web api to just allow specific IP to access the site to avoid other people get the key and access the web site.