There is no reason why your customer should ever need to know about the app token or the app id. They are both used only for communicating with the API, and they never change for the life of the app, so you should hard-code them into your app. Your app token is a secret password that you should never give out to anyone. It is used for authenticating your app.
I'm rewriting the App::Toodledo Perl module for API V2 and so it is used for writing apps. So I didn't see the need for specifying both the app ID and the app token for getting the session token since one is completely determined by the other. Is there a conversion mechanism?
The AppID is like a username and the App Token is like a password. You need both, just like you need both to sign into any website. You should just provide a way for developers who are using your library to define both values. And you should take care to keep the app token a secret, since it acts like a password.
In that case, it would be possible for someone to spoof your application. I don't know why anyone would do this, but if you are worried about this, then you'll need to find a way to keep the password a secret, maybe by routing sync requests through your own server, which would keep the password a secret.
I think this is an issue for all open source applications.
I'm working on a Toodledo Client for Windows, but I currently do not know what to do about the app token, because I want to publish the application's source code.
What is the worst thing that could happen if someone else knew the app token?
The worst thing that can happen from someone knowing your app token is that they create a different app that syncs poorly and triggers the rate-limiting code designed to protect our servers, which would cause your app token to be blocked and your customers would no longer be able to sync because Toodledo would think that your app was abusing the API.