<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=333690) </details> <!--IssueSummary end--> Querying MR discussions via API requires `PRIVATE-TOKEN` to be set, and if not provided, results _correctly_ in 401, as per [docs](https://docs.gitlab.com/ee/api/discussions.html#merge-requests): ```bash $ curl https://:base_url/api/v4/projects/:id/merge_requests/:merge_request_iid/discussions {"message":"401 Unauthorized"} ``` However, if I call the endpoint used by frontend, I am able to read all the discussions without any authorization: ```bash $ curl https:/:base_url/:owner/:repo/merge_requests/:merge_request_iid/discussions.json # The whole JSON here ``` Is this intended? I couldn't find any documentation on this.