Read-Only or Scoped Permissions for OwnerRez API Tokens

We're using the OwnerRez API to pull booking data, guest details, and compliance information into our internal operations system, and it has been working very well for us.

However, we've noticed that API tokens currently have full read/write access, with no way to limit permissions. For our use case, we only need read access. We never modify bookings, payments, or property data through the API.

Having a full-access token introduces unnecessary risk. If a token were compromised, or if a script contained a bug, it could potentially modify or delete data without any platform-level safeguard.

Would it be possible to add one of the following?

• Scoped API tokens — the ability to choose read-only vs. read/write when generating a token
• Role-based API access — tokens inherit the permissions of the user account that created them (for example, a user with a Viewer role would receive a read-only token)
• Per-endpoint permissions (this would be the best) — granular control over which API endpoints a token can access, such as GET only, with no POST, PUT, or DELETE access

Any of these options would help us follow the principle of least privilege and reduce our exposure. I imagine other property managers using the API for reporting, dashboards, and internal tools would benefit from this as well.

We are currently enforcing read-only access at the application layer. However, things could change in the future, or those protections could potentially be altered on our end, so we would appreciate the added safeguard of enforcing read-only access on the API side as well.

[This topic has been merged with another topic (Read-Only Scope for OAuth Applications/API Access). All unique votes have also been merged.]