Suppose I have an API called “User”, and in there is a /session and a /tasks endpoint. Is it possible to have POST /session open (so the user can log in) while at the same time having GET /tasks requiring authorization? Or do we have to create two different definitions that point to the same service?
You’ll need to add an entry to the ignore_list of the extended_paths section in the definition. It looks like the docs there are sparse, I’ll flag it with the team here.