Granular permissions handling

Currently the HTTP client introduced in #4 makes assumptions that any tokens will have the relevant permissions, and where they do not we let the response status code dictate handling. We could improve this logic to perform the relevant checks on the client side and in turn raise more informative errors without the need to make a request to the API