In addition to above mentioned, I would also like to limit the possibilities of what a user can do with a specific API key i.e. to limit a specific key pair to only perform GET requests in HID and not be allowed to send POST-requests.

Per my understanding, In the current implementation of HellloID a entity with a valid API key is not restricted in what it can or cannot do against the API.