Please, correct me if I'm wrong. Here I'm trying to summarize typical application and access setup for Mobile|PC REST Client.
1) Create a named service for whatever DB backend you decide. Optional, id DB is empty, create schema and (optionally) upload data. Otherwise, DB schema and data is already there.
2) Create Access roles for components of the service, created in 1). I assume, in general case, there should be at least two roles, read-only, for guest/anonymous access. And read-write, role, for registered users access.
3) Create one, or more application declarations (ApiKeys), for instance, to distinguish between clients on different platforms.
4) Create User account for unregistered access (I know how it sounds, but I did not find another way to provide guest access for an application). Assign guest role for application(s) on this account.
After that, clients may request session token for guest (anonymous) user on specific application, then access this application under this anonymous account's role.
If there are registered users for the application in question, we may initialize another session, getting more access rights for an application.
Working in this manner, I've managed to connect to application (initiate session), and request data using Postman REST debugger tool.