I agree; you should allow non-TLS connections as well as TLS. (At least, access that does not require authentication should not require TLS, but should still allow it if that is what the client wants.)

If you are concerned about accidental login or API keys without TLS, then you can consider supporting mutual TLS, which improves security (and flexibility) in other ways as well. (You do not necessarily, have to require mutual TLS, in case someone prefers to use a username/password login, or 2FA or something else like that instead.) (In the case of login forms, you can have the links to the login forms to always use HTTPS, in order to avoid the problem.)