Connecting website with particle

I’m looking to connect my website to my particle such that I can send commands to it and receive responses from it in real time (such that the user doesn’t have to refresh the page and it will automatically update depending on the response). I currently have that setup in javascript, except there is one problem. Anyone that accesses my website can just call the functions through console allowing them to access the particle directly. How do I do this so that everything runs server side? I want to use PHP and a javascript frontend. Is there any examples etc…?

For example:
On my website the user purchases an activation code. With that code they enter it on the website and I check to see if that code is valid by seeing if its in my SQLDatabase, once it’s entered and validated it calls a function on the particle that then sends them data back. What is the best way to do this securely so that people cant just call the function to access the particle through developer console?