HTTP access tokens can currently be used to use the REST API, but also access the repository data itself via git etc.

We would love to see a permission setting that allows us to limit the token to only allow read-only access using the REST API.

Any further repository actions (pull/push) we wish to do using SSH for more granular control.

Additionally, the permission feedback (HTTP access token page) does not list or mention REST API access specifically anywhere. See https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html