MD5 / salt makes verifying data unscalable as a lead gen provider


I want to run a service that acts as an endpoint provider for Lead Gen cards.

I don’t trust my users to be able to copy paste a salt back in to my app, especially when the salt seems to only be shown in the “testing integration” phase of building the card. Even if they did, I’m not a huge fan of storing that salt in my db, and a bad copy-paste job will ruin their whole campaign.

Is there any alternative here? IP address range whitelisting? Or something like that I can use to be sure the data is coming from twitter? How are the other providers validating (or aren’t they)?

Any plans to allow lead gen cards hosted from our domains and powered by meta tags instead of forcing users to use your product to build and my product to set up the endpoint?