Okay, I think I may be thinking about this wrong.

I know that if I just grant an API User a generous role with 'All' access to all entities, that I will be able to achieve what I want, but I was hoping I could create a limited role that can log actions like the current /api/v1/ActionHistoryRecord, but not necessarily be able to do anything beyond that.

I can see the JSON response if I'm logged in as my own Admin self, but haven't been able to set the limited Action scope as I describe above as a role for an "API User".

In short, I just want to create a real-time audit stream, from a client-side application, via the methods in the API documentation.