Is there a permission system for the Finesse APIs?

Yes, there is such thing as a permissions system for the Finesse API. You can find the permissions per REST API under "Security Constraints" in the appropriate table in the Finesse Developer Guide. For example, for the User - GET User REST API

The security constraints states:

Agents can only get their own User object. Administrators can get any User object.

To get the User object, a user must be signed in, or provide valid authorization credentials when challenged.

That means that agents can only use this API on their own object and administrators can use this API for any agent.

You can find the Finesse Developer Guide on the Finesse DevNet site: https://developer.cisco.com/site/finesse/ under Docs -> Guides -> REST API Developer Guide.