Happy to help.
Unfortunately, client-side API calls are very difficult in the OAuth 1.0a model. You’re right that you’d perform the token negotiation server side and then persist a user’s access token and associate it with whatever server-side representation you have for that user. The main difficulty is around keeping your consumer secret secured – you need to it to sign requests, but you can’t put it in public Javascript without exposing the key.
As for direct REST API calls, the only means you have to perform the requests client-side are to securely first use a server-side signing component – you’d make a client side request to your own server with the “ingredients” then on your server put those together to form the various OAuth header components you need to make a client-side request. Then you’d use those details to build a client-side request to the API.
As you can see, if you’re going to the trouble to sign things server-side but then making the request client-side, you’re not really getting any of the benefit of client-side development. You may as well just sign and execute all of your requests server-side and just use client-side Javascript to tell your own servers to make those calls.
Hope this helps!
