Android

How to organize REST API with OAuth 2.0 and JWT for mobile applications?

I'm making an API for mobile applications. The API should work for the native mobile app and also in the future for third parties. To authenticate my own application, I use the instructions in the documentation ( Client Credentials Grant ), i.e. I pass authorization data (client_id, client_secret) from the application directly to the server. I'm going to receive a JWT token (JSON Web Token) back.
Here the question arose: do I need to identify applications (my application on Android and iOS) or user devices?
- If the first, then formally it turns out that for the server at the time of authentication, all devices on the same platform are one person. Accordingly, the secret in the JWT will be the same for all users of the iOS application.
- If the second, then in the authorization data exceptclient_id and client_secret must also include some unique device_id , which is then stored in a separate table along with its corresponding JWT secret.
Am I thinking right, and which path should I choose?