API Keys for access to *zome* accounts

Is there a way to generate API keys that will allow access to some accounts under an owner, but not others? My parent organization (statewide) purchased a large number of licenses, and has created admins for the individual sub-units (counties), but there doesn’t appear to be a way for the admins to be able to generate individual API keys (or even register separate JWT apps). If I log in as an admin and go to create an app/key in the Marketplace, I’m shown the Owner’s app and key. This seems to have the effect of allowing the admin account to access all of the accounts under the Owner.

Not an error - just looking to limit which accounts an app can access with the organization.

Which App Type (OAuth / Chatbot / JWT / Webhook)?

Which Endpoint/s?
https://api.zoom.us/v2/users (for example). I’d like this to only return a specific set of users assigned to an admin, for example. Or I’d like to be able to only retrieve recordings for those users, instead of all of the users under the account.

Each account is separate, so you’ll notice that the Get User List API requires the user:read:admin scope.
I would recommend creating an OAuth app that includes this (and any other API scopes you may need) and having the sub-accounts install this app, then the list of users returned will be unique to each account.

You only share the installation URL of the OAuth app to the accounts you want.

Limit the results by each installation, but have a multi-tenant (centralized) backend for all of them.

I would recommend this approach over asking for the JWT API Keys from each account, it is easier to manage, albeit a little slower to implement (but not by much, and it will save you time in the long-run).