As you hint at, it sounds like intuitively very bad design to have one key for all users that’s hard coded in your app. You can’t retract that key without breaking the app for all users, and you can’t limit access easily if one user e.g. overloads your API. If you do this, you may as well have no key at all as it’s likely trivial to recover the key.
Better design in this case is to issue a key per user and include in your app a requirement for a user to enter their own key before the API will work. (Or if they don’t enter a key they are limited somehow to only a small number of accesses)
This means you need to:
- Find a way to issue keys per user
- Update your app to allow entering the API Key
This should sound familiar as lots of services like any of the Google API’s work like this – you have to register, get a key, put the key in your app/code.