The call will return a 401 and redirect to the login page.
Note: If I create a custom plugin and define my route there it works perfectly. But with a simple api route (defined in /api) it does not work (unless I disabled auth altogether)
Your route definition leaves the config.auth field undefined, which means you’ll get the default behaviour of requiring the user of the API endpoint to be authorized (either logged in or using an API token). However, if step 2 of your example occurs within the admin UI then getFetchClient should add the required token, automatically … unless you’ve added some ‘public user’ code to your admin UI. If you want the API endpoint to be available without authorization, just put auth:true in the route config object. But if you expected that the user would have been authorized and you’re still getting a 401 error, there might be some other problem. [You did remember to create a controller for the API, and you did remember to restart your server before trying to use the API endpoint?]