Last Tuesday @AnneSchoenauer asked for a relatively light security layer, of the kind that can be implemented with shinyauth and I mentioned the author's disclaimer:

With that understanding I'm happy to implement it.

Overview

I consider three main factors: Complexity of setup, security, and cost:

Cost is intuitive. The minimum we can spend is a little money to maintain a server to host the app -- similar to what we already do in DigitalOcean. The most we can spend is about $120/month.
Complexity of setup: Paid options are straightforward, but free ones are quite complex to setup. To get an idea just skim this article, which covers the common alternatives.
Security: Paid solutions are secure, and also some popular, time-tested options. It's serious stuff and eventually we may need to delegate this to a security specialist. To get an idea, here are some quotes from reliable sources:

If your app [works with personally identifying information or regulated data], it's imperative that you partner with a software engineer with security expertise. --Mastering Shiny

Don’t: Roll your own Authentication. Do: Use Service Providers Such as Posit Connect. --Appsilon

For apps intended for use within commercial organisations, I would recommend one of RStudio’s commercial shiny hosting options, or shinyproxy, both of which have built in authentication options. --shinyauthr

The options that seem best are: 1) avoid it, 2) pay for shinyapps.io, 3) setup shinyproxy. This options may be implemented in that sequence: We can start by avoiding authentication, then pay some money to stay safe and deliver quickly, and finally implement shinyproxy for the mid-long term.

Below record some details of these and other options. My ranking for complexity and security aims NOT to reflect my opinion about those services in absolute terms, but to reflect how complex they feel to me given my current experience, and how secure I feel about a product built with those tools by me given my current experience.

Avoid it

Complexity: None
Security: High
Cost: Free

At least for an MVP this solution is easiest, safest, and cheapest:

Avoid collecting user data, and instead linik to a GoogleForm
Avoid storing licrensed data, and instead get it from the user. Users may get it from GoogleSheets or similar.

An alternative to 2. may be to automatically download the licensed data from a GoogleSheet accessible to specific users, which authorize via gargle. However supporting this may not be worth. The data still needs to be travel through the internet, the authentication process may impair user experience, and the implementation seems non-trivial.

shinyapp.io

Complexity: Easy (minutes)
Security: High (professional support, widely used)
Cost: $100-120 + tax per month

With shinyapps.io, you can limit the access to your application by enabling authentication. Only users who log-in with valid credentials will be able to view or use the app. -- Aplication authentication

We currently have use a free plan without support for authentication.

To support authentication we need to upgrade at least to the "Standard" plan.

Shiny server + shinyproxy + cloud server

Complexity (see shinyproxy setup, and shinyproxy droplet on DigitalOcean): Medium. It's quite complex but involves tools I'm familiar with (mainly Docker)
Security: Medium-high. The service seems well established. With simpler setup I'm less likely to make mistakes.
Cost: Free except the cloud server

Resources:

https://stackoverflow.com/a/40187306/25210153

Shiny server + Auth0 + cloud server

Complexity (2016 TODO search for more recent posts): Hard (hours-days)
Security: Medium. https://auth0.com/ seems well established but setup leaves room for error since it's complex and I lack experience.
Cost: Free except the cloud server