Authenticating client without hardcoding key
It’s not possible to authenticate a client in this way. As you correctly point out, it can always be reverse engineered and duplicated. Server authentication only works because the user doesn’t have access to the server hardware, and to produce a secure client you must find a way to block the user from accessing the client hardware, which is generally impossible.