If you want to forbid anyone without a bearer token that is best done in a plug in your router.
Are you using AshAuthentication?
Read actions apply policies by filtering by default. This protects from various security problems.You can change that by setting access_type :strict in the policy, but I suggest sticking with the default.
If you want to enforce in each resource or domain (policies can also go on the domain) you can add a policy like this:
policies do
policy actor_absent() do
access_type :strict
forbid_if always()
end
...rest of policies
end






















