Rt-users Digest, Vol 92, Issue 15

I can have the web-app login as the user via the REST interface in
theory. Currently the users are auto-created and unprivileged - does
that have to change?
You just have to ensure that they have sufficient rights, probably by
granting them to the Requestors role.

Will they need to be privileged

No, but you will need to tell RT that unprivileged users can reach the
REST endpoint using the SelfServiceRegex config

or have passwords to be usable via REST?

Yes - otherwise how would you log in as them?

Also, your mail client appeared to pick a new subject and break