I do this with a bunch of my apps. The key is to have your server insert a shared secret as a metafield into the customer object. This can then be accessed using Liquid, which can then be used with OAuth, or a similar authentication scheme, so the customer himself never actually sends the secret anywhere, or stores it, and it can only be accessed by that particular customer, who is logged in.
If you use HTTPS on the page where the customer receives the secret, this should be relatively secure from external influence, except from other apps which also have access to the customer's metafields, as far as I know. If you've got a malicious app that can access all your fields, and is trying to mess around with your store, you're screwed anyway.