How to narrow the access from external systems? Tested with tagging providers, users and groups. Looks like all (admin) or nothing (tagged user) proposition. Any ideas if this is possible?
I think this page from the docs is what you’re looking for. It details how API calls are authorized based upon the things the caller’s group is entitled to do.