we have multiple api team that use the same authorization system (schema). Some relationship is less sensitive and at large scale that it has to be done via API, like adding relationship when user sign up in one of the apps. Granting apps access to certain API is much less frequent and is more sensitive. We want token that can only write user relationship and not app relationship