I think you can do that. First create a read-only role. Then you need to decide if you want to create a new user, e.g. api-user, or use an existing user for your access token. If you create a new api-user then just assign the read-only role for that user and later use "Has Owner Permissions" in the access token configuration. If you use an existing, real user then do not select "Has Owner Permissions" in the access token configuration screen but instead select the read-only role in the authorized projects table.

If you organize your project under a common top level projects, e.g. my-company, then the configuration is for all sub-projects.

So you could for example have a user Simeon with general admin privileges and with an access token. That access token has authorized projects set to "my-company" and role "read-only" and "Has Owner Permissions" is turned off.

This is linked to OD-1984, we would love to have a way to create an access token that can be used to read from the API but not write to it. Having to use the "Has Owner Permissions" flag is a huge security risk.

I guess you want to generate an access token only has read permission for agents endpoint? If so, agent endpoint is designed only accessible by administrator as many other system level settings, and read only access for these settings will not be supported.