You are on the right track to use a secret key, but use that key to create a hash that you pass with the URL instead of the key. The server has the same key and can recreate the same hash. If it doesn’t match, then it’s not valid.

$key = 'my secret key';
$data_item1 = 'something';
$data_item2 = 'something else';

$random_key = mt_rand(100000,10000000);
$check = sha1($key . $data_item1 . $data_item2 . $random_key);

$submit_data = array(
    'data_item1' => $data_item1,
    'data_item2' => $data_item2,
    'check' => $check,
    'checkid' => $random_key
);

The server has the same $key as the app. It can then take the data elements submit and run the same sha1 and compare the sha1 results. You don’t need to use all the data items you are submitting to create the sha1 hash. The important part is leaving out some “key” data from the submission to generate the hash. This also verifies that the data wasn’t changed or tampered with in transit since it acts a sort of checksum.

The random data is to make sure every request has a different hash so it’s harder to detect patterns. This method should be sufficient to deter casual hacking.