At some point the app needs to have some credential hardcoded, but you can make it more obscured by getting the API key from your own server with some kind of challenge/response. This makes it easier to rotate third party API keys and cut off unauthorized usage, by including information in the challenge request that could be used to correlate unauthorized requests.
Your hardcoded credential could then become a cryptographic key that you could rotate on app upfates.
I am not sure how many apps actually go through this trouble.
The app uses rot(4) to obscure data, includes a debug link with the collected data, and has the Fluzo service api key hardcoded, among other gems.