Currently there is the ability to create user-scoped tokens only but having app-scoped tokens can be advantageous for multiple reasons.
Note: this proposal doesn't suggest removing user-tokens since they would still be needed for the CLI and perhaps other use-cases, but instead app-scoped tokens is in addition to the current feature.
Proposal
Add the ability to list and create tokens within the app dashboard:
Why? State current drawbacks and advantages of this approach.
User-scoped tokens have a pretty big blast radius if they are compromised, especially if you have a lot of apps within Fly which can all be accessed and changed with a single token.
The advantage of app-scoped tokens means that damage can only be done to the application concerned and not all of them in any particular account.
Links / References
Whilst we're not using JWTs (which perhaps could come later) this article gives interesting background information between ID tokens and Access tokens:
Description / Overview
Currently there is the ability to create user-scoped tokens only but having app-scoped tokens can be advantageous for multiple reasons.
Note: this proposal doesn't suggest removing user-tokens since they would still be needed for the CLI and perhaps other use-cases, but instead app-scoped tokens is in addition to the current feature.
Proposal
Add the ability to list and create tokens within the app dashboard:
These would work in a similar way to the user-token list at https://fly.io/user/personal_access_tokens
(Sorry, the image should say "Access Tokens".)
Why? State current drawbacks and advantages of this approach.
User-scoped tokens have a pretty big blast radius if they are compromised, especially if you have a lot of apps within Fly which can all be accessed and changed with a single token.
The advantage of app-scoped tokens means that damage can only be done to the application concerned and not all of them in any particular account.
Links / References
Whilst we're not using JWTs (which perhaps could come later) this article gives interesting background information between ID tokens and Access tokens: