“Macaroons” can be as specific as you want. Even better, once you get a token, you can delegate it while restricting the access even more. For example, if you have a token with read/write access to a resource, you can easily make a read-only token out of it by appending a new caveat that says “read-only” at the end. But there are already a few posts about this here.
2 Likes