Apologies for a 2nd question so fast: Maybe I missed it, but how do we create read-only access tokens so that not all clients with the PSK have write privilege? (I'd follow-up too: How would I do it via mutual TLS auth? 😉 )