Can I have a narrowly scoped API key?
I want to set up some automation to modify one specific domain. Can I set up an API key that only allows RW access for that domain, and nothing else?
Yes. You can set the access rights you want users authorized to use the API token to have right from the Cloud Manager. Here's our section of the guide which shows you how to do this:
I hope that answers your question!
I see that I can say I want the key to control domains only. But can I only allow it to control a specific domain?
API tokens have the same permissions as the linode.com user that owns them. So, I believe this is what you want:
Cloud Manager -> Account -> Users -> Add a User -> "This user will have full access to account features" to OFF, then on the Permissions page: grant the access you desire (read/write to that domain only or whatever).
Log in as this new user, My Profile -> API Tokens -> Add…
Hope that helps!