@osjs is really concerned about server resources being abused, and there are ways to address that. For example, you can rate limit requests by IP address. Server load is really an issue to be fixed by your service, because even if you have traffic only coming from the app do you have the infrastructure to scale up if it becomes popular?
As far as limiting access, I agree with @epelc that accounts help solve this problem. Setting a private key, token, or something that is contained in the app code could be discovered by someone who could dissect the app. With an account, you can grant a unique token to each app and selectively disable an account when you notice something is going wrong.
Ultimately, I would first worry about the scalability of your server, then if still necessary add accounts to be able to provide unique tokens for each app.