Hi Chrift, thanks for the question.
-
for limiting the route to authenticated users, we don’t really need to write a custom policy. From the Roles & permissions UI, instead of public, we can select the roles to be one of the authenticated roles.
-
yes, once the access is restricted to authenticated roles, we need to make an authenticated request.
I hope you find the links useful. In case of queries, please feel free to ask.