I have a set of REST APIs (via Firebase cloud functions) that I like to release to my clients to allow them creating their mobile apps. The mobile apps they will be creating are used by public users. Users are not supposed to deal with my APIs and thus authentication. So I don't need an end user authentication. It's up to my clients (app makers) to use "some secret" for authorization.
Based on what I have researched, Firebase Admin SDK might not be a good solution for this end since we're concerned about client level authentication.
I was wondering if API Gateway is a right solution for my use case? Can I use it to whitelist particular clients (app makers) without engaging end users? What are the limitations? Any best practice?