Is there a way to create an Api account and give it only Api permissions? I want to have an account that can not actually log into the Admin console. Is that even possible? Some of the permissions are a little odd.
For what its worth I am running JSS 9.7
I don't believe that is an option. Even with no permissions boxes selected you can log into the console, you just won't have anything available.
I think the permissions model is designed to restrict access to the data, not the method by which you can access that data, which is not relevant in most cases. Blocking console access wouldn't "do" anything since those credentials can just do the same stuff via the API.
Oddly enough, unless my memory is faulty, I believe it used to be an option in the Casper Suite 8 series to create an API only account that could not log into the JSS. I'm not clear why that capability was removed, although as @alexjdale mentioned, its somewhat irrelevant if the data is accessible one way and not the other.
What we do is have one API use Read Only account. It can't change a single thing in the JSS if we log in with it, but we can read just about any data we want using it from a script.
We have another API write account with a much stronger password that only a few people know that can be used for occasions where we may want to create or modify objects in the JSS using a script. And even at that, the items it can make changes to are limited. It can't delete anything also.