That response is incorrect. Any user can generate a user API key if the generation of user API keys is enabled for the user’s trust level. If you don’t set a redirect in the request payload it will display a base64 encoded response in the browser that contains the key.
See this topic for a script that shows how it is done.