I understand that an application should never ask a user to hand over API keys and secrets. And that in doing so those keys are compromised and you (Twitter) are likely to revoke them.
My question is how hosting companies and cloud service providers are not constantly in breach of these terms? and how keys stored on leased servers are not considered compromised as soon as they touch the disk?
Keys and secrets are often placed in code that hosting companies are storing (and can probably read). Other PaaS environments allow you to add parameters like these via form field based configurations in their web-based control panels.
If hosting providers are a special case, then it’s not clear in your TOS. Are hosting providers not classed as “accessing the API”, even though this is being done from their networks, on their hardware on behalf of their customers?