View the original community article here
Last tested: Jun 8, 2017
Yes. API sessions authenticated with API3 keys of a given user will always have exactly the same permissions as the user account the keys belong to. If the user can do it in the UI, then a script authenticating with API3 keys of that same user can do it via the API.
Note that changes made to user permissions will immediately affect API sessions using that user's API3 keys. Permissions are rechecked with every API call.
In case we only want to give the user API credentials being a non-Looker user, we could also set a "blank" user and generate the keys there and share these credentials with the person to authenticate.