This is a general question just to confirm my understanding of policies and general authentication for a plugins custom routes work.
-
If you disable authentication completely ( {auth: false} ) this is a “public route” that can be accessed from anywhere.
-
If you have no additional configuration, then
- the route REQUIRES that you are a logged in user.
- by default, any logged in user can hit the route.
- If you are not logged in and just hitting it from the outside, it always returns a 401 and no policies are checked.