The photos api requires an access token to be provided when making a request for publicly visible photos.
However, any access token will do. So on this discussion board and others, developers have been advised to simply use their own developer access token with offline_access permissions. Obviously this is undesirable since this access token may have sensitive permissions, or may expire if the developer changes their Facebook password.
Presently I am planning on registering an alternate Facebook application and generating a basic access token for myself with only the offline_access permission granted. Is there anything I should be concerned about in regards to making a very large number of API calls using a single access token, or by revealing this token to the public?
Facebook has been moving all of their API calls to requiring an access_token. This is probably so they can rate limit and restrict applications that may end up abusing their services. I wouldn't recommend embedding a user access token because people can take it and get information about your account. If you don't want to embed a developer account user access token, alot of the calls can use an application token available on your application settings page or by passing a token in this format: appId|appSecret