I ended up doing a work-around myself, just so the topic id can't be changed in the url to one they shouldn't have access to, and be able to view the topic, bypassing permissions.
I came up with this:

			// Check if this topic is in the sensitive category (ID 5)
			if (isset($topic['forum']['id']) && $topic['forum']['id'] === '5') {
				// Get current OAuth user info
				$currentUser = Application::whoAmI();
				
				// If we couldn't get user info or user is not logged in
				if (empty($currentUser) || empty($currentUser['id'])) {
					Output::i()->error('api_no_permission', '2M121/9', 403, '');
					return;
				}

				// Initialize permission flag
				$hasPermission = false;
				
				// Check if user is the original author
				if (isset($topic['firstPost']['author']['id']) && $topic['firstPost']['author']['id'] === $currentUser['id']) {
					$hasPermission = true;
				}
				
				// If not the author, check if user is an admin or moderator
				if (!$hasPermission && isset($currentUser['primaryGroup']['id'])) {
					if (in_array($currentUser['primaryGroup']['id'], ['4', '6'])) { // Admin or Moderator groups
						$hasPermission = true;
					}
				}

				if (!$hasPermission) {
					Output::i()->error('api_no_permission', '2M121/10', 403, '');
					return;
				}
			}

What version are you using there? I ask as there is a known issue in 5.0.7 beta 1, which was quickly replaced with beta 2.1

Well I was using version 5.0.5 for my testing of the API. I just upgraded that board to the 5.0.7 Beta 2.1, issue still exists. I also noticed, after I upgraded my board to beta 2.1, beta 3 was released. I upgraded to that as well, and issue still exists.

Basically, with the API, you set it up to retrieve your topic and posts for the topic, the url will essentially look like this: module=forums&controller=topics&do=viewTopic&id=7 So, in the url, you change the topic id to one you know you cannot and should not be able to access, and in doing so, you gain access to that topic information, bypassing the permissions of that topic/forum/category or whatever else.

Would you like to see my code for this particular issue, so you can see how it is being done?

However, I forgot to mention this, when displaying the content on page for a particular forum that has restrictive access, it displays it just fine.

As by this screenshot (I do have an issue with the pagination screwing up, not sure how or why it is doing that, but I will tackle it lol)

And, if you are admin or mod, it shows them all, like it should

Edited April 29Apr 29 by Nuclear General

The API does have a check if the user has permission to see the topic, but it is only available for requests made using an OAuth Access Token for a particular member, not using an API Key or the Client Credentials Grant Type.

Based on what you're saying, you're using the Client Credentials Grant Type. That won't trigger the permission check because $this->member is empty:

		if ( $this->member and !$item->can( 'read', $this->member ) )
		{
			throw new OutOfRangeException;
		}

I am using the Authorization Code grant type, not Implicit, not Resource Owner Credentials, or Client Credentials. Only the Authorization:

Edited April 29Apr 29 by Nuclear General
(it added the image twice, removed it)

The permission check works only if you use the Resource Owner Password Credentials option. Without that, the API has no idea about the logged-in member's permissions.

Ok, so what is the actual difference then between each one? I thought the Authorization Code would be the better option, because it provides server-side security, along with proper permissions?