The GitLab API currently has very limited access scopes, allowing it to be used for only authentication or unlimited API access. This means that whenever API access is granted, via OAuth or Personal Access Token, to the `api` scope the external system gains full access to every single project the user has access to. We need to provide two different types of control: 1. limit the which projects the API consumer can access **(this epic)** 1. limit the scope of permissions available to the API consumer https://gitlab.com/groups/gitlab-org/-/epics/178 ### Vision We should allow API access to be limited by project and group.