A lot of services expose APIs where the token basically grants everything the integration can do (read/write/delete across the entire account), making it hard to enforce the principle of least privilege internally when multiple internal services or agents are calling the same API.
In those cases, do you...
Put an API proxy/gateway in front of the third-party API to enforce granular permissions?
Use RBAC/ABAC rules in a proxy layer to filter which endpoints/actions can be called?
Just accept the coarse permissions and risk associated?
Something else?
Would love to hear real architectures people are using in production, especially when the upstream API itself doesn’t support fine-grained scopes.
FabienBSDN•1h ago
If your use case allows it, sending only a derivative of the sensitive data (a hash, a token, a summary) rather than the raw data itself removes an entire class of exposure. The third-party never holds something that can be leaked or misused, regardless of what their token scope allows.
For cases where you genuinely need to send raw data, the API proxy approach with RBAC/ABAC is the most practical solution I've seen work at scale. The proxy becomes your internal trust boundary — internal services get scoped credentials from the proxy, never the upstream full-access token directly.
The "just accept the coarse permissions" path is underrated for low- risk integrations though. The overhead of a proxy layer is real, and sometimes the honest answer is that the data isn't sensitive enough to justify it.