Add an advanced API token option to allow selection of all API methods separately.
As a web-hosting provider, I would like to have the ability to customise which API methods are allowed when creating a token with full root access, so that it is more secure to use the API.
This would greatly improve the security of using API tokens. You should never allow full access to all API methods in order to limit the impact if the tool that uses the API is compromised.
We have encountered two cases where this would be helpful.
- transfer accounts between servers without allowing this token to delete accounts, add SSH keys, reboot the server etc.
- list all user accounts, including accounts owned by other users without allowing the api token to do anything else.
I would see this feature as an addition to the existing system as a simple ACL with checkboxes for all API methods that is only accessible when "Everything all root access" is enabled