What are the difference between creating an API client ID/Secret using the API Management screen vs PAT (Personal Access Token)?
PAT is linked to a user account and thus the user permissions can be modified, but if both have the scopes set to ‘sp:scopes:all’ and the user is an Admin, are there API that only work with one or the other?
Example of API that unfortunately does not work with PAT:
The API Management screen is for creating and managing OAuth clients with varying grant types. If you create a token with the client credentials grant type, then it doesn’t have a user assigned to it, so it has very little access. Only a handful of API endpoints, as @Angelo_Mekenkamp_Hnk pointed out, can be accessed with an OAuth token of client credentials. If you create a token with authorization code grant type, then that requires a user login to generate a token (useful for web apps that act on behalf of a user). Whichever user logs in will be granted a token with their user level, which determines which APIs they can access.
A personal access token in IdentityNow is an Oauth2 token that only has the client credentials grant type. However, the PAT is unique in that it associates the user that created the PAT to the generated access tokens, giving those tokens the same user level as the user that created it. So if you are an Admin user and you generate a PAT with sp:scopes:all, your PAT can access almost every API endpoint.
I did not say that only a couple of API endpoints can be accessed with an OAuth token of client credentials. I gave an example where an API endpoint is (unfortunately) not accessible by a PAT.