Access for an app using api

I’m using access for self hosted applications just for my family. It works great when I am requesting a web page as I have it locked down to specific email addresses.

A couple of the hosted apps have associated Android apps which use API to pull data from the server. There is no provision for me to see a web page first to request a pin. There is also no way for my to modify a header with a service authorisation code.

At the moment I have set up a bypass, but am not entirely comfortable that the data send to be unprotected in this case

Is there any way to secure this use case? An I missing something obvious.