java - http request protect from android -

i have script server side , print json array, prevent other apps can call file.

i have ideas don´t convince me @ all:

1.- use staic token, it´s not enough.

2.- change token monthly, can lost old users did not updated app.

3.- detect package name of app , send precall data recognize users.

any idea how can protect or difference clients or user have installed app?

greetens

what if encrypted output of script , built decryption key android apps? apps use output. other people still call script output useless.