For API authentication we need to create an OAuth application. However, there is no way to limit the scopes that are allowed for token generated using the application.
This is particularly useful if you want to create an app and share the keys with a team member who just want read operations of the API. Currently we have to rely/trust on the application/developer not using the keys to generate an access token which can do write operations too.
It would be good if the admin has a way to limit the scopes which are allowed for an OAuth app. This is a common practice in Github and other places too.
This eliminates the possibility of misuse of API keys for purposes unintended. (Like in my example, somebody using the same keys to delete stuff etc.)
