It looks like any ApiKey for the CLI can perform any action - there's absolutely no permission control - is that correct?
I genuinely thought that an ApiKey was tied to the user owning the key and that the user's permissions were controlled under any of the commands availble!
It's a bit concerning security wise if any ApiKey gives access to do anything when the idea with the CLI is to use it for ERP file uploads/downloads and ApiKeys are given to other parties.
Typically our FTP accounts for that type of usage only had access to the folders they should be allowed to upload to or download from.