Is there a way to prevent users from creating unscoped API tokens?