Do you think that would be the case even if I can log in through the Strapi UI and make protected requests via API with a valid token?
It sounds like something is preventing it from checking permissions when a public request comes in but I can’t think of what it could be as the DB credentials definitely work for all Strapi UI actions and authorized client requests (I’ve just done this to test with a valid token).
Just for clarity the issue is when I send an Axios request from a react client to the Strapi backend