At the moment, the Vercel API token can only be scoped to the user or the team level.
From a security standpoint, it would be super helpful if the token could also be scoped at the project-level.
We would like to have bespoke API tokens for each of our projects on Vercel.
Thanks for the suggestion! I’ll pass it along to the team. 
I also want to make sure you’re aware that it’s currently possible to create multiple access tokens scoped to teams. You can set them up with expiration dates or manually delete anytime. So you could create separate tokens for each project with team-level scope to use with individual projects.
Thanks, @amyegan!
Unfortunately, this doesn’t help, since our goal is to restrict access to specific projects and hence lower the attack surface by allowing only a few people from our team to deploy to all Vercel projects.
The more I think about this feature, the more I realize how important it is for protecting your customers from hacker attacks.
Recently, the crypto industry suffered a major hack—$1.5 billion was lost because a developer’s AWS session key was stolen. The atacker was a state-sponsored hacking group.
If a similar attacker were to obtain a large organization’s VERCEL_TOKEN, they could easily inject a malicious version of its website.
Given this risk, I think that project-scoped tokens should be a high-priority addition to your roadmap.
I just confirmed with the engineering team that this is on the roadmap. I don’t have an estimated release date yet, but we’re already working on it.
Keep an eye on the changelog for an announcement when it becomes available.