What I am trying to accomplish is I want to limit the use of the web service running on Google App Engine to my app users that login with Firebase Auth.
How can I add security rules to the openAPI specification to allow users to request only information of their uuid? So users will just be able to use the web service to get the information about their uuids, if they are logged in to Firebase Auth with that uuid
You'd have to pass along the ID token of your user from the client app to your server over a secure connection. Then on your server you can verify that ID token, and customize data access on the user's identity.
For more on this, see the Firebase documentation on verifying ID tokens.