Because large queries can hurt site performance, WordPress caps per_page REST parameter at 100 records. However, there are situations when you need to override this value. Luckily, this is easy to do, and this post explains how to do that.
By default, WordPress allows an unauthenticated user to view the list of the registered users with the help of the REST API. But, for example, to view the list of the users in the Dashboard, the user needs to have list_users capability (that is, be an Administrator). While the REST API does not expose sensitive information (such as emails) to unauthenticated users, it may be desirable to restrict users endpoint form unauthenticated users.