Is there a scenario where you're seeing that users cannot? The REST API requires a usertoken or a temptoken which may be a little more obscure to an everyday user, but there isn't anything specific about the REST API that would prohibit non-Admins from using it.
If you're trying to have non-Admins access your app via the REST API they would need to use their own usertoken or setup a process to generate a temporary one via whatever process they're accessing your application.
------------------------------
Chayce Duncan
------------------------------