There is a missing feature to have both basic auth and session auth working at the same time on the REST API (covered in ticket EZP-22192). Enabling both of them at the same time leads to issues (
EZP-27184). There is a warning in the code regarding this, introduced here: EZP-27222.
However, there is no mention of this in the documentation (https://doc.ez.no/display/DEVELOPER/REST+API+Authentication) and we could make it more clear there.