...
a User on your tenant with enough permissions to set up the authentication
permissions: edit_backend_settings and view_api_keys (global, not inbox scoped)
this user is only used to make the setup calls, you must not use it as the base user for the API-Key!
a dedicated User on your tenant who will be bound to your API-Key
at least 2 roles to grant to the end user
one Role for the inbox related permissions
one Role for the review related permissions
...