Authentication occurs at a higher level than all of the modules which handle requests. If you turn on debug does it actually find the endpoint? (It’s identified based on the user portion of the From) If not then you could enable the anonymous endpoint which directs all unidentified requests to the anonymous endpoint. Otherwise there is no way to control it. I also assume you mean our behavior of how we handle incoming OPTIONS requests.