The problem
I would like to standardize my configuration across machines and thus have $XDG_CONFIG_HOME/Psst/config.json read-only. That is however not possible with the tokens being written there.

Possible solution
If the tokens could be stored in a separate file such as $XDG_CONFIG_HOME/Psst/creds.json or similar.

Alternative solution(s)
I can work around things by using a launcher script that patches config.json but it's pretty ugly.

Additional context
This would also help people who like to keep their config directly in a git (or similar) repository.

Is there a standard way of doing this in other applications?

The problem isn't unique to psst. As an example, davmail allows specifying the path to the token file inside the configuration.

References:

• https://github.com/mguessan/davmail/blob/2caed4b0664d28f69d572ad21979c24af0207fd9/src/etc/davmail.properties#L27-L28
• https://github.com/mguessan/davmail/blob/master/RELEASE-NOTES.md#o365-4

Come to think of it - since many people store a lot of their dotfiles in a repository, if the path isn't configurable, it should probably be under $XDG_STATE_HOME and not $XDG_CONFIG_HOME.