Hi @Dylan_Lester, the Legacy API key is not associated to any user and essentially gives full administrative access to integrating applications.
The OAuth2 flow ties the access token to the user that provided authorization so whatever permission level that user has will be what the access token will have permission to do. This is largely controlled by the permission settings under Admin > Users > Edit Permissions.
@Nicholas_Trecina I stumbled across this topic when searching for API permissions, I was wondering if in the meanwhile there is a solution to let the user login to it’s account on Infusionsoft and then take actions on behalf of that user using the API?
I don’t fully understand you question, but using OAuth 2.0 Authorization Code grant allows an API developer to get access to a users account if they first login and authorize your application. Hopefully I am understanding you correctly.