Creating APIs without authentication unnecessarily increases the attack surface on
the target infrastructure.

Unless another authentication method is used, attackers have the
opportunity to attempt attacks against the underlying API. +
This means attacks both on the functionality provided by the API and its
infrastructure.