security/service-info-auth #3
Description
Needs discussion / confirmation:
Does service-info require an Authentication header?
Short answer: no, service-info does not require an Authorization / Authentication header by default.
Why this is the case
In the GA4GH Data Repository Service (DRS) specification, the GET /service-info endpoint is explicitly designed to be:
- Public
- Unauthenticated
- Side-effect free
Its purpose is discovery and introspection, not access to protected data.
Typical uses include:
- Determining the service name, version, and environment
- Advertising supported features or extensions
- Verifying basic service availability (health-check–like behavior)
Because of this, clients must be able to call service-info before they have credentials or tokens.
What the spec implies
From a standards perspective:
service-infoMUST NOT require auth- It SHOULD succeed without any
Authorizationheader - It MUST NOT leak sensitive configuration or secrets
If authentication were required, a client would be unable to:
- Discover how to authenticate
- Determine supported auth mechanisms
- Perform capability negotiation
Common (but non-standard) deviations
Some deployments still put service-info behind auth due to:
- Overly aggressive API gateways
- Blanket auth middleware applied to all routes
- Misconfigured reverse proxies
If you see 401/403 on GET /service-info, that is a deployment bug, not a client error.
Practical guidance (for your DRS server)
Best practice is:
- Exclude
GET /service-infofrom auth middleware - Treat it similarly to
/healthz - Return consistent results regardless of caller identity