It’s a limitation with OAuth2. The API keys are currently secretly actually the bits required to construct an OAuth2 access token (specifically, they’re a refresh token and a client id). The OAuth2 spec doesn’t let you add permissions to keys, and since our OAuth2 implementation enforces this, there’s no way to change it without making API keys not use OAuth2 as a backend.
It’s something that’s bothered me as well; we had some internal talks about making a backend system dedicated for API keys but it’s a fairly high cost project for relatively little payoff, so I doubt it’ll happen any time soon.
That said, there probably won’t be any new permissions for a long while.
