Limit API token to read only?

When creating a new key, how do I utilize the rules to limit that api token to read only access?

I use Cockpit Group Addons to add new group and give it access desired (read only or full access) to the collections.

You can use group rules with the group addon or via config file or simply create a new api token and set it to /api/collections/get/collection_name. Now this specific token has only access to read collection_name.