This is a old and resolved post but I would nevertheless want to add to this. Removing authentication from the api isn’t a good design idea in general. If there are other calls in your api that create or edit resources in server side then it could be a potential threat if someone misuses the endpoint. From design standpoint it is better to wrap the actual api inside another outer api layer such as Amazon api gateway or your custom wrapper and expose only certain specific calls to public. The wrapper will use authentication to talk to actual API. This makes your system safe and secure. You can also use this wrapper system to create roles for finer access control to the actual API.