In general, you cannot trust ANYTHING from the client - this is the problem that https://en.wikipedia.org/wiki/Trusted_Platform_Module is intended to solve, but that's a long path to go down. The best thing to do is authenticate the user and ensure all actions by that user are authorized, regardless of whether they come from a real client app or from someone playing around with your api, via MITM or via direct access.
As @Bakuriu notes above, nonces are random values, used once, different all the time - they are used to prevent replay attacks and as tokens in CSRF prevention schemes, for instance. What you are thinking of is, perhaps, an API key - a value used to authenticate a user (where user could be a program). As you say, you cannot bake that into the application, since the user can access it via disassembly, source code inspection or via network traffic inspection.
So, go down the route of not trusting the client. That means that each user needs to be authenticated, regardless of what client they use. Then you verify that that user has permission to do the action you want. You can issue api keys to each user.
One potential scheme : have them verify who they are by logging in to your website and generate a key for them that they can provide to the app - the app can save it in the user's keychain if you want to keep it convenient. When they try to perform an action, verify the api key against your database. As long as this is all done over secure channels, this is reasonable and used by many services.
Another : have the user authenticate to your service (potentially via Login with Facebook or whatever - oauth/openid are good). Then verify the user directly on each requests.
Both have the advantage that they are easy to revoke and that you can limit the user to what they are allowed to do, regardless of how they make the request.
ALL authorization verification and authentication verification should happen on the server side, always. The client is in enemy territory and can never be trusted (short of TPM ugliness).