Hi!
I want to extract history data for a few sensors to populate an e-ink display. I have a Python script running on another node querying the Home Assistant API /api/history/period/... endpoint, rendering the graphics and sending them to the display; that works well.
However, for security reasons, I’d like to limit that script to being able to get history data, but not allow it to make any changes, including state changes of any smart plugs, thermostats, etc.; it can read whatever, I don’t care, but it shouldn’t be able to make any changes (esp. not changes with real-world effects).
I can’t figure out how to do this. A separate non-admin user appears to still be able to set states, and I haven’t been able to find a way to limit long-lived tokens to specific HTTP methods or endpoints or otherwise limit what they can do. Is there an idiomatic way to do this in Home Assistant that I’ve missed?
Thanks!
Best,
Felix