API Integration best practice- roster exchange

Community Explorer

I’m looking for someone who has implemented the Roster Exchange API Integration for Barnes and Noble, and/or is knowledgeable regarding best practices regarding user access tokens vs developer keys for guidance.  Roster exchange is part of what they are calling their "First Day" program.

The Roster Exchange API uses the user access token method, rather than a developer key.  I have created a customized role for this API use, limited to the fields they say they need, but they say they need to be able to list all courses, read SIS data, view all users and more.  So, administrator rights over the entire instance, although not manage rights.   With the new Developer Key token scoping that went into beta today, rather than rely on the user token, should I ask them to reprogram to use a developer key, as I think it will allow for more limited permissions?  Or does creating a custom role and user for creating the user access token really achieve the same thing?   Community input would be much appreciated. 

While I have found useful links in the community (canvas API’s and admin guide) and others, I worry I don’t know what I don’t know.  Our IT department has not responded; I believe because they don’t have familiarity with APIs in general or certainly Canvas in particular.