The webapp comes with its own, secured, REST endpoints. However, if you want to use a public REST API, you should add the starter-rest dependency, which gives you access to the full camunda REST API under /rest.
You can leave it open or secure it anyway you like.
Thanks for your feedback
I’ve managed to make it work with the 2 following artifactIds
camunda-bpm-spring-boot-starter-webapp
camunda-bpm-spring-boot-starter-rest
and adding HttpBasicAuthenticationProvider filter on /rest/*
I can now access the rest API on /rest/engine/default/user