Great question—this is a super common point of confusion when setting up token-based auth, so let’s break it down clearly.

Short Answer: You should disable anonymous authentication (with exceptions only for specific, intentional public endpoints like login/signup). #

Why? #

Let’s start by clearing up the confusion you noticed: when you disable anonymous auth, the server doesn’t block all access—it blocks access from requests that don’t present valid authentication credentials (your token, in this case). The fact that it still validates tokens is exactly the behavior you want!

Here’s a deeper breakdown of the reasons:

• Security first: Anonymous authentication lets unauthenticated, token-less requests access your server resources. If your goal is to use tokens to restrict access to authorized users only, leaving anonymous auth enabled creates an unnecessary security gap. It’s like leaving a side door unlocked even though you have a key-only main entrance.
• Clearer authentication logic: Disabling anonymous auth globally makes your server’s rules unambiguous: every request must provide a valid token to get through. You won’t have to debug why some requests are slipping through without tokens, or manage messy exceptions for most of your endpoints.
• The "token still works" behavior is correct: When you turn off anonymous auth, you’re telling the server "don’t let anyone in who can’t prove their identity." Tokens are how users prove their identity here—so the server checking those tokens and letting valid ones through is exactly what you configured it to do. If you’d enabled anonymous auth instead, you’d be allowing both token-validated and unauthenticated requests, which defeats the purpose of using tokens in the first place.

A Quick Exception #

If you have endpoints that need to be publicly accessible (like a login endpoint where users request their first token, or a public status page), you can override the global setting and enable anonymous auth only for those specific paths. This way, you keep your main security posture tight while supporting necessary public functionality.

内容的提问来源于stack exchange，提问作者rideintothesun