Ok, so as to how IS knows what app is to be used, the access key you use to request endpoint validation must first have been authorized through the oauth process. This means that once you have a validated endpoint, that endpoint is registered for that authorized app. Nothing more needs to be done there.
I know that in documentation, the callback for oauth requires https but I don't think the url that is validated as an endpoint has to be.
Yes, those are the github examples I have referred to. Keep in mind that in all but one example, they are referring to REST 'calls' not REST hooks. There is one example that includes validating the hooks but both are worked with completely differently. So the hooks use REST calls to get information like a list of registered endpoints but once the endpoint is validated, you really only need to have a script that captures the data and then uses it as you see fit.
For the case of using the REST hooks, you also would not need to maintain the tokens as they are only necessary for validation or for REST calls. You could register the endpoints and from there just have a script that receives data from IS and does something with it. Now if you need to write back to an IS app then that is different and you would need to maintain the keys.
I personally separate these processes. So I use a folder for running api work. But I also have a separate folder with subfolders for each end point like ../contact/create or ../contact/delete and in each I place a single index.php file that reads the request body, gets the JSON code from IS and then processes through that information.
With normal api/REST calls it is business as usual with using a valid access token and making call outs to create contact, apply tags etc.
If you look here at documentation on REST hooks/calls:
it goes over using REST calls to establish REST hooks (among other things). I think you are mostly confused because you are approaching the use of hooks and calls as if they would work the same, understanding that they have some things in common but are not worked with the same. What's in common is that REST calls are used to define/establish the hook endpoints. But what's not in common is that the endpoints, having been registered, do not need to make REST calls (although they can). The calls require access token use and maintenance which includes a call for creating the hook reference but the hooks just have to sit there and be ready to receive data.