You’ve gotten most of the hard stuff down.
When you used the oauth/access_token method you got back a long-lived access token (and access token secret). You persist these as it represents the identity of the user you’re acting on behalf of. When you make a call to statuses/update to tweet, you use this access token as part of the request – but you still need to “sign” the request using OAuth. See [node:3036]
