The spec states:
A method MUST be one of the HTTP methods defined in the HTTP version
1.1 specification [RFC2616] and its extension, RFC5789 [RFC5789].
That means any of the following methods are allowed: options get head post put delete trace connect patch.
The CONNECT and TRACE methods are of no use whatsoever when defining a REST API. The CONNECT method does not define an action on an end-point and the TRACE method merely echos back a request body. The spec should specify that these methods are not allowed since it makes no sense to support them.
Similarly, the OPTIONS method has no well defined semantics, although a case could be made for its use. (E.g. see http://zacstewart.com/2012/04/14/http-options-method.html). But even these proposals are of no use when defining an API. Rather, they are about API discovery. So I suggest that OPTIONS be disallowed as well.