Ideally, we would like to be able to scope our tokens to individual APIs and not have them tied to a user.
Essentially, we want proper OAuth tokens, not unscoped personal access tokens.
For example, a problem we ran into was that we needed to access the /v4/content/urls API but it's a POST endpoint and so even though it's not being used to update anything, our Read-Only tokens won't work because they are not allowed for POST requests.
This forces us to use Read/Write tokens, but without being able to scope them down they are way too powerful and it's dangerous to have them around.
Claire Campbell
Hi Claire,
Thanks for this suggestion!
This is a request we've seen a few times and it's definitely something we'd like to do. We don't have concrete plans to do so at the moment.