If what you want is a report, why not use the data explorer plugin? It’s designed to generate things that very much resemble reports. You can allow members of a certain group to access a given query.
The API key will have the permissions for the user that it’s generated for, by default, or you can apply granular scopes. If you can access the endpoint you want in your browser logged in as whatever user, then you can see that the user has access and that it’s an issue with your API key.
An admin can visit the page for that API key and see what scopes are assigned to it. No one else can. From the API keys page you can click any key and see its scopes: /admin/api/keys/22
