Do you have any advice on providing fine-grained permission controls for API keys? Any great example implementations you've seen? Any docs or best practices I should look at?
By "fine grained permissions for API keys", I mean that a user could create an API key with a certain set of permissions (eg CREATE resource type X, READ (but not modify) resource type Y, prohibit access to endpoints A and B, etc), then create another key with other permissions, etc. Admins could see what keys were created by whom, what permissions they have, do key regeneration, etc.
Thanks, Cooper