Restricting API to authorised clients? (in addition to user Auth)

Hey,

I have an API for iOS/Android app that was originally set up with simple user auth (user enters email/password, they get a token, it's stored in an iOS/Android app and passed along with all requests).

The API has since grown and has been re-written to be a bit more 'general purpose' and it can now be consumed by our admin backend tool to manage CRUD and other functions that power the service.

Even though the API is secured with tokens, has policies protecting CRUD abilities, it still worries me that anyone could literally fire up postman and start poking around.

My question is, is it worth trying to restrict the APIs usage to authorised devices... My initial thought process was set up 'client tokens' for each group of devices, so one for the iOS/Android apps, one for the admin backend... and then any requests that didn't have these tokens would not allow the API to be consumed, regardless of if the request contained auth tokens, basically an extra layer of security...

I looked around online and it isn't a well-received idea.

Any thoughts on this?

I should add that I'm well aware tokens can always be obtained, jailbroken apps have data extracted, particularly Android. I know that it can never be fully protected, it's all about making it difficult for the users.

If not tokens, then something else? or maybe I'm just being too paranoid?