If you are logged into the Admin Console in the same browser, the browser will keep passing the admin’s session token with requests, so that you are not prompted for login. I recommend you test using a different browser, a REST client, CURL, or with a separate machine/browser to be sure you’re authenticating and passing headers correctly.