Hello !

First, thanks for all the hard work on the documentation and API !

I'm trying to set up my auth flow for the Tmdb API, however, I'm struggling to understand the exact authorisation scope of the various tokens.

From my understanding of the documentation:

1. The Read Only Access Token (read token) is to be used as an API key and only grant read access for v4
2. The api_key serves the same purpose forv3
3. The Access Token (write token) is to be used for Account & List endpoints in v4
4. The session_id is to be used for Account & List endpoints in v3
5. The Guest session_id is only for rating shows/movies/episodes in v3

However, it seems that:

1. The read-only token for v4grants access to all accounts & lists endpoints in v3 or v4 regardless (for GET at least, not POST/DELETE it seems)
2. The session_id + api_key works on v4 endpoints (without v4 read or write token)
3. All account_id query parameters for those endpoints are ignored in favour of the token or session id holder

So in the end I'm confused about which token I should use.

1. Can I use v4 access token or session_id+api_key interchangeably for all endpoints? Same for api_key and read-only token ?
2. What is the point of converting a write token to a session id if the former works as is?
3. Are all GET endpoints for Account & Lists accessible with read-only tokens? If so doesn't that mean I leak the api_key account's holder information if I bundle my app with a read-only token instead of api_key?
4. What is the point of object_account_id (v4) and account_id (v3) if the return is based on the auth token holder?

Thanks for any insight you can provide :)