Ask HN: Is twitter.com just another application built on api.twitter.com?

From your experience, what are some of the strategies people adopt in these cases? Do you have a different public API stack from the one your original client is built on?

Are there any considerations on limiting the public exposure of internal APIs? Or have you seen any successful implementation of a multi-tenant API where the product and third-party apps both use the same underlying API infrastructure?