html_url,issue_url,id,node_id,user,created_at,updated_at,author_association,body,reactions,issue,performed_via_github_app
https://github.com/simonw/datasette/issues/1951#issuecomment-1350293098,https://api.github.com/repos/simonw/datasette/issues/1951,1350293098,IC_kwDOBm6k_c5Qe9Zq,9599,2022-12-14T02:43:44Z,2022-12-14T02:43:44Z,OWNER,Documentation for the new method: https://docs.datasette.io/en/latest/internals.html#create-token-actor-id-expires-after-none-restrict-all-none-restrict-database-none-restrict-resource-none,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,
https://github.com/simonw/datasette/issues/1951#issuecomment-1350231654,https://api.github.com/repos/simonw/datasette/issues/1951,1350231654,IC_kwDOBm6k_c5QeuZm,9599,2022-12-14T01:48:50Z,2022-12-14T01:48:57Z,OWNER,I like that the word `restrict` reflects the `_r` in the actor/token.,"{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,
https://github.com/simonw/datasette/issues/1951#issuecomment-1350222701,https://api.github.com/repos/simonw/datasette/issues/1951,1350222701,IC_kwDOBm6k_c5QesNt,9599,2022-12-14T01:35:05Z,2022-12-14T01:35:22Z,OWNER,"Maybe this:

```python
datasette.create_token(""root"", expires_after=3600, restrict_all=(""view-query"", ""view-table""))

token = datasette.create_token(""root"", expires_after=3600, restrict_database={
  ""fixtures"": (""view-query"",)
})

token = datasette.create_token(""root"", expires_after=3600, restrict_resource={
  ""fixtures"": {
    ""facetable"": (""insert-row"", ""update-row"")
  }
})
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,
https://github.com/simonw/datasette/issues/1951#issuecomment-1350220579,https://api.github.com/repos/simonw/datasette/issues/1951,1350220579,IC_kwDOBm6k_c5Qersj,9599,2022-12-14T01:31:38Z,2022-12-14T01:31:38Z,OWNER,"The problem with `all=(..)` is it feels misleading - it's actually restricting the permissions made available to the token.

Likewise, `databases=` being a dict of restricted permissions isn't completely obvious.

And the nested `tables=` dictionary feels a bit odd too.","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,
https://github.com/simonw/datasette/issues/1951#issuecomment-1350218177,https://api.github.com/repos/simonw/datasette/issues/1951,1350218177,IC_kwDOBm6k_c5QerHB,9599,2022-12-14T01:27:45Z,2022-12-14T01:30:41Z,OWNER,"Some sketches:
```python
# Token for root user
token = datasette.create_token(""root"")

# Expiring in an hour
token = datasette.create_token(""root"", expires_after=3600)
```
More complicated is when you want to restrict to specific permissions:
```python
# Limited to view-query and view-table
token = datasette.create_token(""root"", expires_after=3600, all=(""view-query"", ""view-table""))

# I'm not sure about that all= name

# Limits within a specific database:
token = datasette.create_token(""root"", expires_after=3600, databases={
  ""fixtures"": (""view-query"",)
})

# And specific tables:
token = datasette.create_token(""root"", expires_after=3600, tables={
  ""fixtures"": {
    ""facetable"": (""insert-row"", ""update-row"")
  }
})
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,
https://github.com/simonw/datasette/issues/1951#issuecomment-1350217380,https://api.github.com/repos/simonw/datasette/issues/1951,1350217380,IC_kwDOBm6k_c5Qeq6k,9599,2022-12-14T01:26:22Z,2022-12-14T01:26:22Z,OWNER,"It's going to look very similar to the CLI tool, at least in terms of capabilities:
```
Usage: datasette create-token [OPTIONS] ID

  Create a signed API token for the specified actor ID

  Example:

      datasette create-token root --secret mysecret

  To allow only ""view-database-download"" for all databases:

      datasette create-token root --secret mysecret \
          --all view-database-download

  To allow ""create-table"" against a specific database:

      datasette create-token root --secret mysecret \
          --database mydb create-table

  To allow ""insert-row"" against a specific table:

      datasette create-token root --secret myscret \
          --resource mydb mytable insert-row

  Restricted actions can be specified multiple times using multiple --all,
  --database, and --resource options.

  Add --debug to see a decoded version of the token.
```","{""total_count"": 0, ""+1"": 0, ""-1"": 0, ""laugh"": 0, ""hooray"": 0, ""confused"": 0, ""heart"": 0, ""rocket"": 0, ""eyes"": 0}",1495431932,