registered users can generate a secure JSON file to use when they want to make use of the api. --> https://together.bunq.com/topic/handling-private-key-installation-token-api-key#comment-3741
It should work as followed:
Users registersgenerates his/her JSON (after the first API call this JSON will be stuck with the API..)logs in on a "use api' page
lets say user wants to see his/her total balance
uploads his/her JSON (like you would with the CSV)presses on "get total balance"JSON file gets send to server, gets decrypted, double check if the file belongs to the logged in user, API call is made, page gets updated