Add API Key
What would be the difference between knowing id and the API key?
On the device, Id is displayed in plain text. Some one can easily get the device id.
Key will be masked and not displayed in plain text and stored on the device in encrypted format.
Key is generally issued at account level. And we could do authentication.
In the current set up, how am I guaranteed that the data I received at the server is from a legitimate device?
Device can be shared between user accounts. You can't use user key for authentication.
Can you add an optional (for backwards compatibility) API Key to the configuration. If a value for the key exists, send it as a parameter. Right now there is no way we can authenticate the request. Anyone can spoof the data and send it if they know the server URL and device id.