REST API is for manipulating individual records in the database.
Technically you can create orders via this API from third-party apps. However, it is not the recommended way because creating a single order requires a number of database records to be inserted/updated. If any of the API requests fail during the process you may end up with an inconsistent database. Instead, it makes sense to create another module (or extend this one) and add one more API request that will perform all the steps at once on the server.
As for authentication: this is not what the API was designed for. Again, you can directly manipulate user and session data through the API. But the recommended way is getting this coded as was done in the
free Wordpress integration module (you can install it and check the source code).