Are there any volume issues regarding the Facebook app secret and how many separate connections (or "applications") I can use the same app id/secret on? For example, I'm creating a SharePoint auto-hosted Facebook application. Auto-hosted means that the server component of my app will be automatically deployed to Azure each SharePoint customer. There is no way (that I know of, obviously anything is hackable to a degree) that a user will be able to get the app id or secret, so I'm not concerned about the security aspect of it, or sharing the secret. However, potentially thousands of individual apps could be using the same app id/secret to connect to Facebook. Is this an issue?
By the way, I'm not necessarily talking about the bandwidth/traffic threshold, I'm more concerned with the number of individual connections using the same id/secret. I realize that the policy states: "If you exceed, or plan to exceed, any of the following thresholds please contact us as you may be subject to additional terms: (>5M MAU) or (>100M API calls per day) or (>50M impressions per day)." This is not my immediate concern.
However, potentially thousands of individual apps could be using the same app id/secret to connect to Facebook. Is this an issue?
yes, absolutely yes.
The App access token is intended for making API calls on behalf of an application, to prove the calls are made on behalf of the app itself - the typical use cases are performing administrative actions like uninstalling the app from a user profile or blocking them, updating app settings, sending notifications to authorised users, reading financial data about the app's payments transactions, etc.
If you're planning on making read calls with an app access token i suspect you're misunderstanding the access model used in Facebook's API - you should be making API calls on behalf of specific Facebook users who've granted your app permission to access and update their data - embedding an app ID and secret in code you're distributing widely is a security issue for your app's users, will quickly hit API rate limits and if the app is shut off will break all instances of your client code immediately.
I strongly recommend you read the login documentation and ensure you're using user access tokens to request user data - https://developers.facebook.com/docs/facebook-login/