Since you’re authenticating your API call with your app generated API key it’s running in the context of the App admin.
Follow this guide, you essentially create a workflow to generate an API key per user, then you remove the shared key header from your API call and instead make it a non-private header so it can be dynamically filled in when the action done. This also means the API call follows the privacy rules of the Current User (can be ignored if needed)
The key lasts 1 year, so I have a date field under my user indicating when it’s expired. Then at login it checks if it’s expired and generates a new one and saves it in a text field under the user
Maybe one day we will be able to return values back to the client, maybe one day…