Some time ago I was setting up a Zapier script that would create service desk requests based on emails received. One issue I faced is that permission on the REST API are completely different from what you would expect by using the Service Desk portal. For example, anonymous users can just create a service desk request through the portal and provide their email as the reporter, but when trying to use the API to achieve this, a token with admin permissions (it might have even been global admin or something like that) was required in order to create a customer in order to tie that user to the request.
This was not ideal for us, as we were hesitant to use tokens with such rights in that context. Ideally a regular user token should be enough to do this, since it can be done through the portal anonymously.