I don't think that's the case, because otherwise how did they leak this key that the backend uses, that presumably stayed in the backend, by reverse-engineering the rabbit android application?
I think the devices all just have hardcoded keys to the APIs themselves.