Access with Application Token and different paths than a logged-in user

I have a django web app that exposes /admin and /api to the world. I would like my regular users to be able to see both, but an external service to only see /api. My API is read only and not particularly dangerous in the event an API ke gets loose, but the admin is obviously not safe to expose.

There doesn’t seem to be a way to scope the Access Service Token to particular path, and I can’t create a second “Application” that shares the same hostname. Am I missing something?

Second question - do I need to store the JWT token in my external application and use that for all future requests, or am I fine to use the ID/Secret for all requests? This is running in a serverless setting so either way it could be doing the initial auth many times anyways.