A key thing to keep in mind, if you have an authorization header with a bearer JWT value, your request is no longer public (regardless of the public permissions). If that JWT belongs to a user assigned to a role or that JWT is invalid you will get a 4xx error.
2 Likes