Regarding the first question, you now must use OAuth for all API requests, hashtags included. See here.
In version 1.1, we will require every request to the API to be authenticated
I don't know about services, but why not use OAuth? You just need "application authentication", not the user to log in.