This is sure to cause temporary problems but it's for the best. Going forward, all api routes that you add will require authentication, unless you explicitly add this attribute: [Unauthenticated] If your plugin is creating a custom api, and if you're feeding that url to something external, then you'll need to make a decision on whether to make it unauthenticated or require the caller to provide authentication. Please let me know if you have questions. Thanks. @chef  @roaku @Chees