A developer may request a ClientID and Client Secret. These are stored in the database and can be found in the Administration > API Clients. You may want to create an API Client specifically for your application. The permissions you grant will depend on the application and are determined by the User specified in the API Client record.
Best practice: We recommend creating a new API User for each API Client so the Audit Log can track which integration makes changes. First, add a Company Contact using the Add/Edit Company tool. Then, create a new User for the Company Contact you added. Make sure this User has a Security Role with Administrator rights. Finally, add a new API Client record and name it something other than _apiClient. This is the name that displays in the Audit Log, so we recommend using the name of the integration.
Your list of API Clients may look like this:
Developers will need a User login in order to access the Swagger Interface, since the tool requires authentication. This is a tremendous boost to productivity because queries to the REST API can be prototyped and tested here without coding. In order to query system lookup tables, a developer should have the Setup Admin field set to "Yes" in the User record.
In either case, the User should be granted Permissions for the Pages that support the application being developed. It's often necessary to have access to related Pages, so you might be generous when granting permissions in general. But make sure to remove permissions for sensitive records, which are usually not necessary to the application.
You may also want to give the User record a Security Role with API Procedure permissions since these are used by the API.
