While you can certainly have open APIs that require user authorization, it’s always a nice indication of just how open something is when there are public endpoints. Mastodon and Bluesky both get this.