If by "server-side" call you mean getting a token for Express Checkout, I don't see how it's different from any existing OAuth implementation where site.com/oauth/twitter redirects to twitter.com/?oauth_token=TOKEN. That's the best practice actually.

Shameless plug - i have an article on paypal's oauth which is similar to oauth1 but hasn't fixed it's token fixation bug yet: http://homakov.blogspot.com/2014/01/token-fixation-in-paypal...