It may not be supported. However, do you have your settings and the user who is authenticating properly set up? According to the documentation you need to make sure the user authenticating has Global Administrator privilege level set AND the setting "Allow sensitive fields for administrators" for the REST API are checked.
If the field "Allow sensitive fields for administrators" is enabled, REST requests authenticated using the credentials of users with the Global administrator privilege level are allowed to work with data fields that contain sensitive information (for example fields related to passwords).