Example: you have an API route /routes/api/projects/[id]/+server.ts

You could have a permission allowing you access to all projects, such as project:* or you might want a token that only allows access to a specific project, so would have a permission like project:world-domination

Fairly easy to do, but maybe not obvious:

export async function GET({ locals, params }) {
  const { id } = params
  await locals.api.any(`project:*`, `project:${id}`).approve(limit)
  // rest of code
}