Well, I am in that boat (SSO, not an admin), and I later got an admin to create a special bot user for Jenkins to bypass SSO (without success so far:
JENKINS-42365). Before that, I was hoping to avoid putting my password into Jenkins, and I'd prefer not to put the bot's password in either.
I was under the impression Rocket.Chat had API keys, but apparently not (just temporary tokens): https://rocket.chat/docs/developer-guides/rest-api/authentication/
Unless Rocket.Chat gets API keys with restricted capabilities (eg only write to a particular channel, no reading), they wouldn't really be more secure than passwords anyway.
Without API keys in Rocket.Chat, I think my request is invalid. Closing.
PS webhook integrations in Rocket.Chat do seem to have restricted capabilities, so I would support that idea. I think it should be a separate issue though.