We have a mobile game. It makes REST services calls to our custom APIs. Currently we require the username and password of the logged in user with each request.
We want to prevent any other clients (web, mobile, etc) from accessing these apis. We know we could setup our own secret key and pass it along with each request and have the server validate it, but a hacker can and has easily decompiled the code to find out what the secret key is, so any tokens/keys we put in the client code can easily be detected and re-used from fake clients.
So my question is, is JWT designed to be used to prevent unauthorized clients from accessing our REST API?
If so could someone please direct me to an article where I can read more about how to set this up?