Since we use Personal Access Tokens, the permissions of the API token reflect the permissions of the user it's associated with.
For example, if you have a user who is only allowed to view assets but not update them, any API requests made using that user's Personal Access Token will return an Unauthorized error if they attempt to perform an action their regular logged-in user isn't permitted to do, such as updating an asset.