A Developer may request a ClientID and Client Secret. These are stored in the database and can be found in the Administration > API Clients. You may want to create an API Client specifically for your application. The permissions you grant will depend on the application and are determined by the User specified in the API Client record.
Our recommendation (Best Practice!) is to create a NEW Company Contact using the Add / Edit Company tool, and then create a NEW User for each Integration. (When creating the new User, open the Pick List on the Contact field and choose the *Current Companies view.) Then add the NEW API Client record and name it something other than _apiClient. (This allows the Audit Log to track exactly which integration is making changes.)
Your list of API Clients may resemble this:
Developers will need a User login in order to access the Swagger Interface, since the tool requires authentication. This is a tremendous boost to productivity because queries to the REST api can be prototyped and tested here without coding. In order to query system lookup tables, a Developer should have the Setup Admin field set to True in the User record.
In either case, the User should be granted Permissions for the Pages which will support the application being developed. It is often necessary to have access to related Pages, so you may opt to be generous when granting permissions in general, but remove those permissions for sensitive records which are known to not be necessary to the application.
You maybe also want to give his User record a Security Role with API Procedure permissions since these are used by the api.