Ideally, we would like to be able to scope our tokens to individual APIs and not have them tied to a user.
Essentially, we want proper OAuth tokens, not unscoped personal access tokens.
For example, a problem we ran into was that we needed to access the /v4/content/urls API but it's a POST endpoint and so even though it's not being used to update anything, our Read-Only tokens won't work because they are not allowed for POST requests.
This forces us to use Read/Write tokens, but without being able to scope them down they are way too powerful and it's dangerous to have them around.
Hi Claire,
Thanks for this suggestion!
This is a request we've seen a few times and it's definitely something we'd like to do. We don't have concrete plans to do so at the moment.