To follow up on this for anyone who finds their way here, we managed to solve our problem by programmatically generating User API keys via undocumented behaviour in the User API keys controller
By default, user interaction is required to generate a User API key - however, you can generate a User API Key on the users behalf by using an admin API Key for that user. By making a request to
https://sitename.com/user-api-key/new authenticated as a user, i.e. with an
api_username included in the POST data, and by not including an
auth_redirect value, the API will respond with the generated key, rather than requiring user interaction to authenticate the application requesting the User API key.
This may not be entirely clear and is quite convoluted so if you’re interested in finding out more, just message me.
We have a python implementation (Django) as an example of how this can be done.