cwebber2Gargron, aaronpk: what's considered best practice for a third party app that's a FOSS desktop/mobile client registering with OAuth? you can't keep an app-level secret, so presumably each individual user client instance should register as a separate app, right?
