We should be able to generate tokens that have read only access to the container registry and not other parts of Digital Ocean. This would be useful for deploying images to maintain good security and only allow our service to pull images, not access droplets or databases.