Grant Read-Only API access please
For some integrations we want to only ever read from Xero. One great example is when we replicate a production Xero system into a test system. In those cases we NEVER want to write to production. Other cases are where clients only want data extracted from Xero.
This seems a simple ask - just disallow PUT, POST, and DELETE, and allow only GET.
On our use case, we'd like to access the financials without interacting to do some basic calculations for the client companys which often don't like giving out more than read access as we shouldn't need it.
Implementation of the read scopes is already implemented now so checking the permission scopes requested should be enough to check against.
E.g. If an application only requests accounting.transactions.read, a read only user should be able to connect their company to the application