Protecting the API

If you want to forbid anyone without a bearer token that is best done in a plug in your router.

Are you using AshAuthentication?

Read actions apply policies by filtering by default. This protects from various security problems.You can change that by setting access_type :strict in the policy, but I suggest sticking with the default.

If you want to enforce in each resource or domain (policies can also go on the domain) you can add a policy like this:

policies do
  policy actor_absent() do
    access_type :strict
    forbid_if always()
  end

  ...rest of policies
end