There are serious considerations around the credentials (that you would have to provide to the user, or embed into your script) and the permissions assigned to that credentials. I’m not certain you’ve considered the security aspects of what you’re asking.
Yes, the REST API can send actions, but it would still be necessary to choose which actions, targeting which machines.
It would be great for an integration with a ticketing system, say, ServiceNow, and keep the authorization in a CR workflow, with a defined set of allowable actions. But as far as just letting an end-user initiate any random action, no that’s not something to pursue.