That is possible if you use the built in customer portal and webshop options. Look at the manual for details on that.
Your question specified using the REST API. Right now, you must be authenticated to use the REST API against ERPNext. I would say that is a very good system design decision and things should remain that way. If you really must use a third party integration to do what you ask, then yes, you do need to hardcode credentials. There are secure ways to do that with enough mitigations in place to minimize risk (ip whitelisting, using middleware to sync, and so on), so that just requires analysis from your architecture team.
If however you absolutely require an unauthenticated endpoint to create website users, then you’ll need to send a pull request to the core erpnext code on github which implements the endpoint.