xAuth will not likely be offered to you as an option since you’re capable of leveraging the web to do callback authorization.
Keys generated by OAuth or xAuth generally remain the same strings unless a permission has changed or the key has been explicitly revoked. Even so, you shouldn’t rely on that.
There’s no reason to perform xAuth (or OAuth) again, after you’ve obtained the access token and it remains valid.
Building a proxy just to get around rate limiting isn’t wise. If that’s what you’re trying to do, there’s likely another solution you haven’t thought of. What are you really trying to accomplish? What kind of API calls are you making and who are they on behalf of?
Some people on large internal networks leverage a caching proxy server like Squid such that your internal network folks hit your squid representation of an API URL – if it’s been x minutes since the last time it made the request, Squid will fetch the content and respond with it. If it’s been less than that, Squid would serve a cached version of the content. In this way you don’t worry about auth quite the same way.
