While you do not need to always supply a JWT or Session Token with any API requests, you must supply an API Key with every call. As you have seen the “Guest Access” page already, I wanted to just follow that up with this snippet:
Applications can be given “guest” access by assigning a default role to an application, detailing what resources should be accessible without user authentication. This is useful, if your application has an open “website” or kiosk mode.
This would enable you to basically open the endpoints you wanted, while maintaining the architectural restriction of always passing an API key. This restriction is purposeful to allow you, as the administrator, to have full control of the access of the data. If you set up Guest Access and just put the API key in a config file or .env file and then called it as needed in your app, akin to something like this in a React app I am building:
If that app had no restrictions on it, I can make that GET call from anywhere, as long as the role assigned to that API key allows for unlimited traffic.
That is as close as DF comes to having a “wide open” data source.