can an agent token be used for machine processes that need to communicate with the graphql API?

it has read-only access to the API but might not be able to do certain writes. A user token is probably a safer bet (We'd still like to add the concept of service users to better support these use cases)

thanks!