API Authentication

There is a developer in our company that needs to use the API to upload files.  Other users in the company need to be able to see the files via the web.  The developer and his app need to be locked down to only one folder in our enterprise.  What form of API authentication would be appropriate?

I started with App Token but then realized the files cannot be viewed in the web.  If I do JWT it seems like the developer would have admin rights, and we cannot have that.

Is there a way for a Box app to be locked down to one folder only?