Ok, here’s the next best solution I’m considering; please let me know if this does respect the spirit of your policies.
I’m thinking about storing both the consumer secret and the token secret on our side, and signing the request on our side as well. I would however have to let the end user’s equipment initiate the direct, long lasting connection to your servers for real time data. This means their hardware would have access to all headers needed to make the request.
The most sensitive values in the header seem to be the application’s consumer key and the user’s access token. I don’t think those should be any real concern, but I thought it would be better to ask before implementing.
Is this a sound approach, according to your best practice guidelines?