Oauth question

so say I make a self hosted app that uses the twitter api. I get a token and store it within the app somewhere. does this mean that other self hosted apps that use the twitter api will be able to make calls with my token if they were to somehow gain access to the token?

assume all apps are on the same domain

That’s right.

Why dont you set the script to not be accessible directly if you want to lock it?