Especially for automatically executed scripts that use the XML or REST API, it would be much more safe and secure to have read-only credentials.

For instance, for a script that automatically publishes the current list of sites on our intranet, and a script that uses what's in Plesk for automatic billing, we really don't want to store credentials with them that allow them (or anyone who steals those credentials), to change anything (e.g. delete everything).

This requires the creation of a new type of attribute on users or authentication tokens: read-only.

Ready-only users or tokens can be used to make API calls, but all of their calls that would modify anything will be rejected with an error response with status 401 or 405.