[Feature] Add the ability to create API keys with limited permissions

[jwillikers]

The feature

Generated API keys have all permissions for an associated user. I'm working on a DIY camera, and I'd like to have it automatically upload photos via Immich CLI. The primary issue with this is that the API key has the scope of the user. This becomes really insecure when using my default admin user, but even using a regular user, the API key can probably still be used to delete uploaded assets. Ideally, I'd be able to generate an API key for my admin user account with upload-only permissions and be able to use this key on the camera.

Platform

• Server
• Web
• Mobile

[mmomjian]

I would also love to have an API key restricted to monitoring, such as UptimeKuma. I currently use the GET /server-info/statistics endpoint to check for library sizes but some kind of health / status endpoint could be good as well.

[radh21301]

I definitely need this. I am using a couple of tools that work with immich. Immich-frame (digital photo frame) and Dawarich (google timeline alternative) - and I would really like to avoid scenarios where they could delete or corrupt my immich data since they have unrestricted access.

[bo0tzz]

This is now possible, it's just not exposed in the UI yet.

[bestrocker221]

Thats great! I can see in the API key documentation the possibility to specify the scope.
Is in the plan to add the support for even more granular permissions, for example read-only per-album?

[adamzvolanek]

Will it be exposed in the UI with the major release of Immich?