I ran into this same problem with one of my infosec users wanting access to the RestAPI. I created a new role "restapi" and added his account. The only capability I added to the new role was rest_apps_management and this allowed him to log in to the API successfully.
... View more