The legacy_api_password auth provider is currently enabled by default, assuming you have an API password configured. This allows using the REST API as before. And it doesn’t matter whether you log into the frontend using the new user system or the legacy_api password. E.g., I use the new user system to log into the frontent, yet the REST API still works using ?api_password=xxx.