We'd like the ability to lock-down (whitelist) what API permissions an API token has.

For example, we want to have an API token solely for the purpose of creating environment variables in a project. We don't need it to do anything else and would like to be able to only grant this ability (to add environment variables) and nothing more. This way the security would be much improved instead of having a token that has full access. The API action in our case we'd like to have an explicit permission for is https://circleci.com/docs/api/v2/index.html#tag/Project/operation/createEnvVar

I'm sure there'll be many other use-cases where it makes sense to only allow limited operations for improved security.

Thanks!