It would be great to have a possibility to limit allowed paths for single user's token.
In our case the idea is to create user with admin/project-admin permissions, create token for this user with very limited permissions (e.g. /pull-requests/ only) and provide this token for several external automation tools.