There is no API key. The URLs are not public, not guessable, and traffic runs over HTTPS. Any attempt at accessing a wrongly guessed URL bans the IP address. I have no intention to rewrite this stuff.
Randomly generated url (even by a bad random generator like a human) is equivalent to an API key. Your exact same argument you made about the url can be made about a baked in API key.
Implement auth, do extremely basic auth if you have to using http basic auth over https and check against a hardcoded value on the server, it's not secure by any stretch of the imagination but is better than giving "api keys" to any intermediary that can do a string dump on your APK...
You need to have the app to get to know the URLs.