There is a lovely trick in GateKeeper and code signing on Mac to pass through an identifier with the download of an application from your website. So for each download, you can associate an UUID with the download, which the app can read after unpacking. You know the UUID on the website, so you can put it in a database and link it to the account of the current user. This way when the app runs within minutes after download, you can link the application to the account without having the user login in the application. You may have seen that with a couple of apps you downloaded before for meetings.
The extended attribute with the UUID is named com.apple.application-instance and put into the application. You read it in Xojo with our ExtendedAttributesMBS.GetRawAttribute plugin function. When you sign the app, you zip the app to an archive. Next you add an "._name.app" file to the archive with the name of your app containing the encoded metadata with extended attributes. We got such a file with zipping an application with the extended attribute using ditto command line tool. Than we extracted the metadata file from the archive without applying it. Than we add this file now with the application zip without compression, so one dummy UUID is there without compressing. On the website, you would have a php script to replace the given UUID in the zip archive with whatever UUID you need for the user.
In short the idea is to have the zip on the server. When someone loads it, you switch the UUID to the new one. Than you let the user download, run the app within minutes and auto login them for their account. A seamless experience for the user!
And the great thing: Changing the UUID in com.apple.application-instance extended attribute will not break the code signing as you can read in TN2206.