I've been scouring the internet for information about how to properly generate an api key that is not tied to any user but just to an application installation and haven't come up with much. So either I'm thinking about this the wrong way entirely or I'm not asking the question correctly.
So here's what I'm trying to do and please let me know if I'm thinking about this the wrong way.
I'm making a PHP Rest API with a MySQL back end. I have no users to speak of but I want to secure my rest api with an apikey so that I can at least log usage and other metrics. This api will be primarily consumed by an Android app but I also want the flexibility to be consumed by any client type really. So I was thinking of creating and endpoint named "generateToken" that will return an apiKey that can be used to call the service. As far as apps are concerned, they will hit this generateToken endpoint during installation and then have it saved in their shared preferences store or keychain for the lifetime of the app. Is this an appropriate way to essentially setup an apikey to identify individual calls etc? Am I thinking about this the wrong way? Should I just institute some sort of user store although I have no real use for it other than securing the api.
I went ahead and did as I mentioned above and created a generateToken endpoint. I also required the current utc time to be passed as a parameter to my api in order to prevent spam and as an added security measure. So I check that the utc time passed is no more than 60 seconds apart from the current utc time. If it's not then it's an invalid call.