[macspoofing]

And if you want headless access this passphrase will be stored unencrypted. This is nothing more than security Kabuki theater.

[simlevesque]

Well, yeah, some keys must be unencrypted to be useful. But in a lot of cases you can and should encrypt your keys used to do manual stuff.

[asadlionpk]

In this scenario, wouldn't that mean the user will have to enter a passphrase on each Trello boot to be able to use it?

(ask for passphrase -> decrypt auth token -> Access API)

[simlevesque]

No, you use ssh-agent.

[macspoofing]

Or you can restrict the file with the key to a specific user and only run the process as that user.

The point is, you haven't actually solved the problem. It's not magic. In a 2-system authentication scheme, where headless access is necessary, a key needs to be somewhere in plaintext accessible to the process. You can obfuscate this, or add OS controls, or hardware chips, or ssh-agent, or keystores, or web-services for keys, but it doesn't change this reality.

[msbarnett]

Indeed if you want to do something stupid, something stupid will be the result