account level api access control
Is there a method of authentication that only allows selected account/member to use the api?
currently, reading the documentation, using the api key is not differentiable between accounts. Even with the username/password method, all accounts (who has access to the client id/secret) can access the api.
The only hack I can think of, which only works if there is a small number of accounts that need api access, is to set up a different api key/or client key-secret per account -- this is arguably a hack.
There is no way to control access to API on this level. If you do not want some people to access API, then do not share client secret with them (this is why it is called secret).
Anyway, when an admin or a member works with API, he cannot exceed his access level. It means that API will return only data available to this user through the web interface.