You could use the device id as a key, then store the device id in the back-end and on first auth, do some checks to make sure it is valid/correct and then activate the device id for access.
The only issue is that I believe IOS gives a new device id every time the app is reinstalled, so the app would have to re-auth, and you would end with heaps of devices if it happens too often (you could store a last-used date and remove the device authorization after however long.
For better security of the back-end, make it harder to spoof the device id.
Send the UUID and a Hash. The hash can be the UUID appended with a secret key stored in the app (maybe generate it on first run or something), appended along with a timestamp, all encoded in sha1 or sha256. e.g sha256(device.uuid+secretKey+Date.now());
Its not 100% foolproof, but it would help reduce the risk of the UUID being spoofed.