Ask HN: How do you enforce least-privilege when an API token has full access?

One pattern worth considering before reaching for a proxy layer: minimize what you actually send to the third-party API in the first place.

If your use case allows it, sending only a derivative of the sensitive data (a hash, a token, a summary) rather than the raw data itself removes an entire class of exposure. The third-party never holds something that can be leaked or misused, regardless of what their token scope allows.

For cases where you genuinely need to send raw data, the API proxy approach with RBAC/ABAC is the most practical solution I've seen work at scale. The proxy becomes your internal trust boundary — internal services get scoped credentials from the proxy, never the upstream full-access token directly.

The "just accept the coarse permissions" path is underrated for low- risk integrations though. The overhead of a proxy layer is real, and sometimes the honest answer is that the data isn't sensitive enough to justify it.