I could not find a category for the savings API, so I put it in this category instead.
I have found a potential bug: I am able to subscribe to a flexible savings product with a read only api key. I don’t consider this a read only action.
Many people create read only api keys for e.g. tax applications, it would be annoying if those applications could subscribe to flexible savings product, or even other products. I did not investigate this further (with other products). Flexible savings is well not very risky, just annoying. But if this is also the case for liquid swap or (locked) staking, then the bug is more severe.
The endpoint in question is POST /sapi/v1/lending/daily/purchase (HMAC SHA256)