We’re the creators of a PHP-based CMS product that users install on their own sites (like they would with WordPress, for example). We currently have a Twitter add-on that customers can use to display tweets on their website. We’re currently using the unauthenticated public json feeds (as nature intended) but are resigned to needing to switch to an authenticated model.
If I register my software as a Twitter app – as if it were a desktop client – and then distribute it to our customers, they’d all have access to the keys. Our software is PHP, and therefore uncompiled and view-sourceable. That sounds like a bad idea.
So should I be instructing every user to register their own app in order to use our software? That doesn’t sound right either - I wouldn’t want it to appear like we were trying to bypass any limits by acting that way. Is that what I should be doing? Each user of the add-on should register it as their own app?
I guess my question boils down to: is an app the software, or an installation of the software?
Just looking to do this the right way - any help appreciated.