I'm using this repo to develop a backend being used by an Android app I'm also developing. The backend is publicly exposed, but I'd like to allow only the Android app to access it. I don't care about hiding the endpoints, just making them throw a 400 error if the request comes from an unauthorized client.

How would you approach this?

I thought of putting some random UUID in the Android source code, and on every request encrypt it with a public key from the backend, which would require this same UUID to be present in every request. How would I do this? I need to do this on top of the existing jwt-base user authentication.