The hash parameter allows you to prepare REST requests that can be executed by unauthenticated users. Requests that contain the hash parameter ignore the credentials specified in the authentication header.
This is why there are restrictions like you can use only GET and you cannot use hash parameter authentication for /all object retrieval requests. This is an intentional security limitation that protects global data in the system.
You can have 1 hash to access all the collections, but you have to enter enter the list of all URLs for all the collections!!! On top of that each URL is full absolute URL of the REST request, including the protocol, website domain name, virtual directory, REST path, and query string parameters. Do you want to do it?
So you were on the right path: create a user give him privilege level and permissions and use basic authentication.