Third party service authentication

Hello, I want a third party service (simple nodejs application, which is written by me, but later not controlled by me) to be a able to write files to a specific bucket and update/add entries in a specific database collection. I don't want to give this service an API key with files.write or documents.write scopes, because then it could delete any file in any bucket and any document in any database collection. I tried to authenticate as a user, but I quickly noticed that its not possible to create and use a session using the server SDK. I tried to use the client SDK:

import { Client, Storage, Account, ID } from "appwrite";

const client = new Client()
  .setEndpoint("<my endpoint>")
  .setProject("<my project id");

const account = new Account(client);
const session = await account.createEmailPasswordSession(
    "testaccount@mail.com",
    "password"
  );
client.setSession(session);
const storage = new Storage(client);
await storage.createFile("<bucket id>", <unique id>, <file>);

but this also doesn't work without it running in a browser.

Now my question is, if there is any way to either restrict the API key scopes to be more granular, or somehow authenticate as a user using the server SDK or any other way I am overlooking to solve my problem?