It would be great to have different API keys to allow different types of read/write access to actors/sessions. Nice to have: regex which assigns what part of the state a key can access or which events can be read/written For example I might bundle a client side API key that can only: (regex used for examples) read states: counter\..* read events type: counter\.updateSharedState\.* write events: counter\.(increment|decrement)\.${myUserGUID} Stretch goal: a public key code-signing capability and event validation mechanism similar to signed git commits