And how do you deal with the secret in the app (e.g. the API key) that you cannot make public?
I honestly think that there is something wrong with architecture of that program or server, if an application package available for download to user has to contain secret which user cannot access.
According to this post OAuth2 Client Credentials it’s no longer the case, though, the application just needs regular login and password, same as you enter on the website. It is suggested not to store that but instead get some reauth-token though.
Point of f-droid is not only to make sure that application is not doing anything ominous, though. It’s also that Google Play requires login even to browse and install payment-free applications. Why does google play require password while other software repositories do not?