Read-only access token for OAuth 1.0a REST API calls?

I’ve followed the instructions using the OAuth 1.0a Java code example and an admin account to create an access token for an on-premises JIRA 7.3.0 server. I can use the token and sample to make RESTful calls to retrieve JQL query results in JSON format. Works fine.

However, the JIRA admin site says (somewhere, I’ve since lost the link) that the granted access token is “READ-WRITE” access level. The application I’m writing is only supposed to monitor resolved and status values for specific issue keys, and I don’t want others with access to the source and config to abuse it for programmatically modifying issues, sprints, admin settings, etc.

I can’t seem to find any documentation on how I can use the /plugins/servlet/oauth/authorize API to retrieve a read-only access token instead of a read-write one. How can I modify the sample to have it instruct JIRA to issue a read-only access token? Or alternately, how can I amend an existing read-write access token to be read-only?