Confusing Process to get API Client to Work - Help

I'm baffled as to how to ultimately get our backend service to talk to the Chat API so we can add users/organizations programmatically. I have read the countless posts about it and besides being out of date they tend to use the same terminology for different things and ultimately link back to stuff that doesn't help. Surely I cannot be the only person trying to do this very simple thing.

Here's what I understand at this point. 

- There are 2 different APIs and oauth clients. The first API/client is related to “managing” Zendesk stuff. The second API/client is specifically for Chat API. I have no idea if this is correct or why this even exists but let's move on.

- In order to use client credentials for the Chat API we have to first create the OAuth client in the UX, then use Postman or related to update that client to mark it as confidential

Here's what we want to do.

- Programmatically create new/update existing users and organizations via the API with NO interaction from the actual end user.

- Integrate the chat web widget into our app and pass along the user ID we generated such that agents can see the user's data and related organizations. Ideally this would be done using the messenger widget and JWT but as documented on the support site and elsewhere this doesn't allow us to pass any data besides the user information which makes it mostly useless.

- We DO NOT have any plans to create a dummy redirect site to prompt the end user for any permissions to access their account. We create and manage these accounts and will be doing all this ourselves. 

Here's where I'm at.

- We added a Chat API Oauth client via (Apps and Integrations\Connections\OAuth Clients).  

- We have the widget hosted in our web app and we are generating and passing the correct JWT to ZD such that we should be able to connect to the correct user, once we get them programmatically created.

- We added an API OAuth client via (Apps and Integrations\APIs\Zendesk API\OAuth clients).

- Using the API client we are able to 

   - Use Postman to authenticate using password grant

   - Using token can get API Oauth clients and a few other endpoints to work

- In order to switch the Chat API Oauth client to confidential we need to get access to it.

  - Using the Chat API \ List Chats endpoint generates 401 because our API OAuth Client doesn't have permissions?

What we need help with.

- What are the 2 different OAuth clients used for and do we need both?

- How do we programmatically flip the Chat API Oauth client to confidential using our existing password grant OAuth client?

- Which OAuth client should we be using to add/edit users and organizations?

- Which OAuth client should we be using (if any) for the web widget integration that is already working?