Security
As described in Monitoring tools and security, client access to a Management API and endpoints requires that they authenticate as a user with the manage-user role. If custom Plugin code requires additional privileges, you can create and assign a custom role to users of the Management API to enable that functionality.
If you have enabled SSL on the Manage App Server, your resource address must start with HTTPS, rather than HTTP, and you must have a MarkLogic certificate authority on your browser, as described in Accessing an SSL-Enabled Server from a Browser or WebDAV Client in Securing MarkLogic Server.