#Exposing and protecting endpoints

What do you mean by hide? In the sense of not including them in the generated documentation?

In the workflow frontend - backend I am securing via JWT but within of my system I have other service is asking or responding data to backend. In this point is not needed 100% to secure the endpoint because the request is sent from the backend and this backend is authenticating. But maybe is neccessary to secure that connection as well.. i don't know.. the question is, what is the best way in this scenario.

in the case that by "exclude" you meant from your swagger:
you can add the @ApiExcludeEndpoint() on that endpoint so that it won't show up

Is that endpoint accessible on the same network? If yes, then you absolutely need to secure it. If not (e.g. it is listening on a different port that is not exposed to internet), then it's not necessary.