Like, the basic flow would check the validity and, implicitly, the presence of the auth header. To bypass auth in the case of the absence of the header itself would need to be an explicit conditional. IF no header, then authenticated. Right? That’s crazy.
I suppose I could look at the code.
I'd probably forget to write it... but it would be useful and easy.