"I am under attack" for an API endpoint

As far as I understand, the “I’m under attack” feature works well for server side rendering applications, where you need to interact with the browser. In this case a challenge javascript is applied to check if the request is actually real, made by a person and not a robot. Right?

But in an API, where the requests are made through an mobile app or even via cURL/Postman and something that is not a browser. How would CloudFlare protect the endpoint against DDoS, bots, bruteforce etc in this case in the “I’m under attack?” feature?

You would most likely be better off using something like rate limiting. It’s a paid option (from a certain number, there is a free tier), but ideal for this type of situations.