login scopes for api tokens #70
Description
when logging in via the UI or the API, the session should note it and refuse to work for the other thing... because yeah.
session cookies could specify a path? but that might take multiple layers/initializers.