"So how does a developer use API's of 3rd party systems without putting in credentials, such as Twitter or Google's Gaming system?"
You know, I had the same thought, As most of these apps require some kind of signup and login process you could download the credentials as part of that. But then that leaves the credentials available on a web-site somewhere. That's certainly no better and possibly worse.
As a win-forms c# developer how I got round this was encrypting any default keys and having my own internal calls that decrypt them before use. It's not perfect but it's the best I could come up with. At least it means that credentials aren't stored in an easily readable way.
I wonder if anyone more used to this can detail any industry standards and reading material? I'm genuinely interested.