At the moment API tokens have to be provisioned as an "almighty" token where almost all administrative actions are possible.
This makes it (from a security PoV) pretty much impossible to hand out API tokens to workspace users that want to do some automation in their workspace such as creating tenants and creating service instances.
It would be great if an API token could be scoped to just a single workspace so any changes done via the API are isolated to just that workspace.