I think the biggest cause of this is just how Sandstorm really wants you to use it for authorization, which means that authorization needs to be scoped at the app instance level. There are good reasons for this. However, for standalone use, app instances need broader scope than what you usually want for authorization.
If not for that mismatch, one could just wrap most existing apps that support pubcookie authentication in a layer that translates Sandstorm APIs into HTTP.
