Does the API user have to have full system access?

I’ve created a role specifically for the API user to limit possible security issues. However, even with all boxes checked, it’s unable to connect to Mautic, producing a 401 access denied error, unless granted full access.

When I give it the Administrator role, everything works fine.

What’s going on here? Bug? Feature?

That might be true for some endpoints, but not for all in my opinion. Just now I am looking into LeadApiController and see that the controller actually checks for leda:leads permissions.