Code looks alright to me. Are you getting the correct API key? A “permission denied” would be the result of an incorrect key or the user doesn’t have access.
An admin user has access to everything indeed. What if you hardcode the key in the PHP, does that work?