At present, Front API/OAuth tokens have very wide permissions, such as the "Shared Resources" token scope allowing read+write access to all shared resources.
To help improve security, it would be great to support more granular scopes such as read/write per resource type both on API tokens and tokens granted via OAuth.
For example, scopes could be;
conversations.read // Allows reading conversations/messages
conversation.write // Required for sending messages
contacts.read // Allows fetching/listing contacts
contacts.write // Allows creating/updating/deleting contacts
etc ...
There are plenty of cases where we might want to grant an integration partner access to some Front data, but not everything; such as a CRM sync tool getting only permission to access Contacts + Accounts + Custom Fields, but no Conversation or Teammate data.
This could also apply to admins choosing which specific workspaces an application authorized through OAuth has access to versus granting access to all workspaces and resources