Hey James, thanks for the question.

We’re not requiring private keys or anything beyond read-only keys in the beginning. Furthermore, we’ll test the API keys that customers enter in to ensure that we’re not being given more permissions than we need—and will reject those keys outright so as to not accidentally store higher permissioned access.