Register a new user API - Permission required is ridiculous

Can I register a new user within Okta using the APIs but without requiring high privileges ? I want to harden my application but it seems ridiculous to need such high level permissions to just allow registration.

The only API methods I can see to create a new user requires using an API token or JWK cert. I cannot see a scope that would only allow creation of users. Otherwise my options are 1) use API key or API claim “okta.users.manage”. Both of these options create a security risk the compromised key being able to dump all users or modify account details. All I want to do is create a new user but the security risk it too high.

I could use self-service registration. However, I need to set custom profile values that are required to be configured for my use cases. I could populate these values using Okta hooks BUT they only support basic authentication and are not compatible or secure for my requirements.

What more sensible options exist ?