Thanks for explaining in more detail. Due to the security model of oauth apps, there can be only the one redirect URI per app. However, using the state parameter technique I mentioned you can handle multiple clients with a single app.
Regarding your security questions, the short answer is yes – as your website becomes a component in the critical path of theme activation/updates, it needs to store data securely and be engineered for resiliency. The previous API we used was actually much less secure, as it placed security tokens in the URL and didn’t always use secure transport mechanisms.
If you want to provide registration/ticketing/update/etc. functionality to verified buyers, using the API as described here and in the other post is the best approach we have.