Hi! I need to be able to restrict access to API methods depending on where a request comes from. In this case, direct user login will allow access to the entire API, but an API token will only grant access to a couple methods. The best thing I can come up with is to stick a caveat on basically every relationship and pass the source of the request as context in the check permission call, which will effectively force us to pass that context on every request. We’re talking 2 endpoints out of dozens-hundreds. I’m tempted to do it at the API gateway level or something, but I don’t totally like that an authorization question would be handled outside of spicedb.