I believe that limiting UPS that has REST API to be used only via Admin UI is a huge fail.

We also have this: http://aerogear.org/docs/specs/aerogear-push-rest/ which is no longer valid. As you said, /send is the exception, however given broken auth other REST APIs are useless.

There are means how to enable REST API - via direct access. The question for Bruno Oliveira is whether that has some security impact. Also, as we removed KeyCloak Admin UI, it is impossible for user to enable direct REST API access on his own.