I'm accessing my Openfire server from a separate device.
But, after a couple of hours of battling, I realised I had to open the Admin port for external access, since the REST API shares it.
I realise that the REST API allows for a third party to make extensive modifications to an Openfire instance, but it still seems a lot less damaging than access to the Admin console.
I'd like avoid opening the admin console to external access, if possible.
Is there a way of moving the Openfire REST API to another port?
This is currently not possible. The functionality provided by the REST API for Openfire is considered 'administrative', and is thus should, largely, be treated with the same authorization/authentication considerations as the admin console.
The desire to be able to apply a more specialized set of conditions to authentication/authorization is valid, but is currently simply unsupported. An issue has been filed a while ago to improve this. You can find that issue here: https://github.com/igniterealtime/openfire-restAPI-plugin/issues/177