Just wanted to point out an issue that could potentially expose endpoints. I'm using the TypeScript version of Encore.

In the APIOptions interface definition there is a comment indicating that when not specified, the value for auth is defaulted to false. It's mentioned in the interface's comments:

export interface APIOptions {
  ...omitted other fields for brevity...

  /**
   * Whether or not the request must contain valid authentication credentials.
   * If set to true and the request is not authenticated,
   * Encore returns a 401 Unauthorized error.
   *
   * Defaults to false if not specified.
   */
  auth?: boolean;

  ...omitted other fields for brevity...
}

To an unsuspecting new Encore developer, this comes with the implication that their endpoint may be public without them ever realizing.

I think there are two possible routes to make this better and "secure by default":

1. Make the auth field explicit (no default) -- ie a developer must make a decision whether to set it to true or false
2. (breaking change) Make the auth field default to true. However this will change existing functionality for existing encore users as some endpoint which were previously public will become authenticated.

Either way something like this is bound to create a real problem for one of your framework users one day.