Confirmation of how plugin router authentication/policies work

This is a general question just to confirm my understanding of policies and general authentication for a plugins custom routes work.

  • If you disable authentication completely ( {auth: false} ) this is a “public route” that can be accessed from anywhere.

  • If you have no additional configuration, then

    • the route REQUIRES that you are a logged in user.
    • by default, any logged in user can hit the route.
    • If you are not logged in and just hitting it from the outside, it always returns a 401 and no policies are checked.

Yes plugin routes will let anyone who is authenticated in unless you add permissions