some way to create an API token restricted to only certain operations

I'm thinking of moving a script [1] that currently runs as lp_archive@cocoplum (which we want to get rid of the Ubuntu archive team's shell access to) to an API script that runs on the shared ubuntu-archive account on lillypilly (a.k.a. people.canonical.com).

On the whole I think this is a stepping stone to an improvement in system security, albeit only one of many. However, it would require creating a bot account that's a member of the ~ubuntu-archive team, which owns the Ubuntu primary archive, and setting up ubuntu-archive@lillypilly to be able to use that account unattended. Curtis thinks this is probably a fair exchange for what we're currently doing, and I tend to agree.

However, to reduce the security exposure in the event of a compromise, it would be nice if it were possible to restrict the capabilities of the token in the possession of ubuntu-archive@lillypilly. For example, it would be great to be able to say "this token can GET anything that isn't private, but it's only allowed to call this one method using POST". You could still do some damage with that with some creativity, but it would make it a great deal more awkward, particularly if it weren't possible to deduce from the client-side credential which methods were permitted.

[1] The purpose of the script is to automatically copy packages from -security to -updates pockets in stable releases provided that the history in -updates hasn't diverged, which is an operation that saves Canonical a considerable amount of money due to the way it interacts with mirroring.