I want to distribute an application that users can authorize to post to Twitter. (It’s not Yet Another Twitter Client, for the record.)
However, doing so seems to require I store and distribute my application’s consumer key. If (not if, when) someone got a hold of that key, they could impersonate my application, I understand.
Am I understanding this correctly? Is there some sort of alternative process that would eliminate that need?
I suspect what I need to do is set up a web application, storing access tokens and consumer keys there, and expose an API that is used by my distributed application. This adds the burden of maintaining said web application and makes me a point of failure, so I’d rather not do that.
Any guidance on this front would be helpful.