It turns out that the user.create endpoint doesn't accept an empty list of developerAccountPermissions. I tried not sending the parameter, sending an empty list, and sending DEVELOPER_LEVEL_PERMISSION_UNSPECIFIED since we don't want these users to have developer account access, but all of these cause the code 500 to be returned. Setting an actual developer account permission fixes the issue.

e.g.

createUserRequestBody = {'name': userId, 'email': user["email"], 'developerAccountPermissions': ["CAN_VIEW_FINANCIAL_DATA_GLOBAL"]}