You can get but not manage, rewards you don’t own.
EventSub/PubSub will also broadcast all redeems that occur regardless of owner.
So this is false.
You mean industry standard oAuth used by most things that provide an API?
Once you have a working “template” of oAuth, you can use the same code for a bunch of services, you just feed it different URL’s and scopes