diff --git a/config/app_local.example.php b/config/app_local.example.php
index 3a32c307b..390a503da 100644
--- a/config/app_local.example.php
+++ b/config/app_local.example.php
@@ -84,9 +84,13 @@
      *
      * ## Options
      *
+     * - `allowed` - Array of allowed methods per endpoint.
      * - `blocked` - Array of blocked methods per endpoint.
      */
     // 'ApiProxy' => [
+    //     'allowed' => [
+    //         'products' => ['GET', 'POST', 'PATCH', 'DELETE'],
+    //     ],
     //     'blocked' => [
     //         'objects' => ['GET', 'POST', 'PATCH', 'DELETE'],
     //         'users' => ['GET', 'POST', 'PATCH', 'DELETE'],
diff --git a/src/Controller/ApiController.php b/src/Controller/ApiController.php
index 825634b6b..03bb8f278 100644
--- a/src/Controller/ApiController.php
+++ b/src/Controller/ApiController.php
@@ -79,15 +79,14 @@ protected function allowed(): bool
         $blocked = in_array($method, $blockedMethods[$action] ?? []);
         $modules = $this->viewBuilder()->getVar('modules');
         $modules = array_values($modules);
-        $modules = (array)Hash::combine($modules, '{n}.name', '{n}.hints.allow');
         $modules = array_merge(
-            $modules,
-            [
-                'history' => ['GET'],
-                'model' => ['GET'],
-            ],
+            (array)Hash::combine($modules, '{n}.name', '{n}.hints.allow'),
+            ['history' => ['GET'], 'model' => ['GET']],
+        );
+        $allowedMethods = array_merge(
+            (array)Hash::get($modules, $action, []),
+            (array)Hash::get((array)Configure::read('ApiProxy.allowed'), $action, []),
         );
-        $allowedMethods = (array)Hash::get($modules, $action, []);
         $allowed = in_array($method, $allowedMethods);
 
         return $allowed && !$blocked;