Any Progress on this? With all regulation related to ISO 27001 and NEN7510 which require scoped and only access to functionality a client (or system) really needs, the api cannot be used.

In addition to above mentioned, I would also like to limit the possibilities of what a user can do with a specific API key i.e. to limit a specific key pair to only perform GET requests in HID and not be allowed to send POST-requests.

Per my understanding, In the current implementation of HellloID a entity with a valid API key is not restricted in what it can or cannot do against the API.