You could create 2 APIs, a keyless one and an authenticated one. Make the authenticated one internal only. Configure the keyless one with an advanced url rewrite, which checks for authorization header match. If it exists, use looping to pass the request to the authenticated api. If the header doesn’t exist, the api will just proxy to upstream.
@leon could you verify this logic for me?