API roles are special API permissions that you can assign to an account. Having basic API access does not allow you to work with user information or manage user emails/passwords, for example.
There are three server commands for dealing with api roles.
Granting an api role:
apigrant [username] [role]
Revoking an api role:
apirevoke [username] [role]
List api roles for an account:
Grants read-access to the Users endpoints.
Allows access to the Change Email/Password endpoints for Users without needing to know the users' existing password.