We are using the recycle bin and want to keep it. Hard delete is no option for us.
For certain object types we restrict delete access, however, because there may be dependencies that would lead to orphan objects, or because deleting the object impacts another object's status. We use custom actions, therefore, that first check what needs to be done, then call a microservice that runs with higher privilege, as recommended elsewhere here in the q&a.
The problem is that we need to provide user credentials to the service for the soft-delete operation, because only user accounts have a recycle bin. When we switch to API-key authentication, a deletion attempt will lead to an error saying the system user doesn't have a recycle bin.
We know that this way of authentication is deprecated, but we know of no other way to get what we want. Are we overlooking something?