The API I'm working on is for a mobile app only. Since mobile apps are on different devices and IP's I am unsure how to go about making it to my API can't be accessed outside of the app. The only solution I can think of is an API Key that goes out with the app. This app doesn't require login as its purely GET requests, but I don't want people to be able to hit the API outside of the app.
How can I go about doing this? Would key based be an ideal option? What about if the key gets compromised?
You could use access token (key) as you already pointed out.
Save token in local storage, send it in header within every request (search for: Authorization Bearer). Then check it every time on your API.
If your key gets compromised, change it on your API. You will need to change it on mobile device as well - will you have access to it?
I hope that helps.