While you can certainly have open APIs that require user authorization, it’s always a nice indication of just how open something is when there are public endpoints. Mastodon and Bluesky both get this.

@manton I personally am in favor of authenticated endpoints in general. However, I favor having an unauthenticated endpoint called "Create Account" or something similar, so anyone can create an account if needed. This way, you can enforce spamming rules on the account creation side if someone is malicious.