Web API 安全

我被要求为允许发送电子邮件的应用程序(PC 可执行文件，非网络应用程序)编写一个 Web API.
用户点击某物，应用与 API 通信，API 生成电子邮件并将其发送出去.

I'm asked to write a Web API for an application (pc executable, not web-app) that will allow sending emails.
A user clicks something, the app communicates with the API which generates an email and sends it out.

我必须确保没有未经授权的人可以访问 API，因此我需要进行某种身份验证，但我不知道如何正确执行此操作.

I have to make sure noone unauthorised will have access to the API, so I need to make some kind of authentication and I haven't got an idea how to do it correctly.

将会有更多的应用程序访问 API.

There will be more applications accessing the API.

首先想到的是 - 发送用户名和密码，但这并不能真正解决问题.因为如果有人反编译应用程序，他们将拥有请求 url 和变量，包括用户/密码，或者只是可以嗅探.

First thought was - send username and password, but this doesn't solve the problem really. Because if someone decompiles the application, they'll have the request url and variables including user/password or simply it can just be sniffed.

那么……我有什么选择?

so... what options do I have?

我相当确定安全连接 (SSL) 目前对我不可用，但是，这仍然无法帮助我解决反编译问题，是吗?

I'm fairly sure secure connection (SSL) is not available to me at the moment, but still, this won't help me against the decompiling problem, will it?

编辑

我一开始没有说过，但是不会要求用户输入用户名/密码.必须验证的是应用程序，而不是应用程序的用户.

I haven't said that initially, but the user will not be asked for the username/password. It's the application(s) that will have to be authenticated, not users of the application(s).