I'm the creator of an open-source project that uses the python box-sdk. The application uses the traditional oauth2 dance (sure, jwt would also work). However, this project is intended to be installed on the user's machine, essentially daemonized.
The user may be a bit on the tech savvy side (as the project is built around Linux), but right now the setup is not simple.
Because of the open-source nature (and it is python, so the code is human-readable), I can't simply store the oauth2 credentials from my box developer application in the app. Anyone who is nefarious could simply do bad things with it.
I have a potential user who I've been working with trying to get the project setup on their computer. We have realized how unrealistic it is for non-devs (and even then) to get it running.
So, I could be misunderstanding the dev docs, but on the case that I'm not, is there another way that I can distribute my application such that it can run and work, without me putting sensitive credentials in it?
UPDATE:
Looks like there is a new section to the python SDK README about RemoteOAuth2. I'll update if I find that this works for me. Unfortunately, it seems I'll have to have some server setup that does the oauth2 crdes dance...but I suppose that isn't so bad.