REST API access is forbidden by default in web server configuration.
You must allow and protect access (for example with htaccess).
You must also enable rest_api in configuration:
$use_restapi = true;
Here are available services:
../rest/v1/doc/openapi-spec.yaml