You can completely disable the API for the frontend or set a custom slug. The default slug is
return [ 'api' => false ];
return [ 'api' => [ 'slug' => 'rest' ] ];
By default authentication via basic auth is only permitted when https is enabled. In rare cases (e.g. during local development), it might be necessary to allow basic auth even when https is not enabled.
return [ 'api' => [ 'allowInsecure' => 'true' ] ];