Look in the System Management Portal under System Administration, Security, Applications, Web Applications, and look for the /csp/sys application. That's the System Management Portal. You can probably set a required resource there, and then only people who have that resource should be able to access it. You'll probably want to make a new resource, not just use an existing one. Just make sure you have that resource before you make that change so you don't lock yourself out!
Calling the methods this way is effective for testing the methods, yes. You just want to get really familiar with the %CSP.Request class. This approach isn't a good way to troubleshoot issues with your routes, or with authentication, though, as it bypasses those steps. For that, you'd probably have to define %request appropriately, then call some of the methods your API inherits from %CSP.REST, but I'm not as familiar with those.
Here's my small but useful contribution:
Add an "Add Server to VS Code" Option to System Tray Icon