When private package is uploaded, set the correct location for the box.json to point to the right location on S3.
Make sure that only authorised users can access the location. (owner and in the future, collaborators)
What endpoint do you use to determine the download location for a package?
This will let us know where in the API we need to do this...