currently every user with Aha! access can create an api token or authorize Apps to use the Api. And the Scope is tied to the user itself and not configurable.
When it comes to projects, utilizing the API, it is the Application Owner / Administrator setting up this connections, while the system requiring the access does not have a dedicated or own service account in aha!.
So currently every API token, setup by the administrator runs with full admin permissions, what definitely requires plenty of trust to the parties, the api access is created for, i.e. https://docs.snowsoftware.com/snow-integration-manager/en/UUID-ed0c9286-85e9-9862-3583-8b285a87d66c.html or https://docs.searchunify.com/Content/Content-Sources/Aha.htm.
So please make it possible, to configure the scope and workspaces a created api token or oauth2 app can access.