docs: Clarify HTTP endpoint auth is optional, not required (#4562)

## Summary

All `/v1/database` routes go through `anon_auth_middleware`, which
allocates a new anonymous identity when no `Authorization` header is
provided. The docs previously marked many endpoints as requiring auth
(`Required Headers`) when they actually accept anonymous requests.

## Code audit

Traced through `anon_auth_middleware` in `crates/client-api/src/auth.rs`
and each route handler in `crates/client-api/src/routes/database.rs`:

| Route | Old docs | Actual behavior | New docs |
|---|---|---|---|
| `POST /v1/database` (publish) | Required | Optional (anon creates new
DB) | Optional + explanation |
| `PUT /v1/database/:id` (publish) | Required | Optional (ownership
checked) | Optional + explanation |
| `GET /v1/database/:id` (info) | No auth section | No auth used |
Unchanged |
| `DELETE /v1/database/:id` | Required | Optional (ownership checked) |
Optional + explanation |
| `GET .../names` | No auth section | No auth used | Unchanged |
| `POST .../names` | Required | Optional (TLD ownership checked) |
Optional + explanation |
| `PUT .../names` | Required | Optional (ownership checked) | Optional +
explanation |
| `GET .../identity` | No auth section | No auth used | Unchanged |
| `GET .../subscribe` (WS) | Optional | Optional | Unchanged (already
correct) |
| `POST .../call/:reducer` | Required | Optional (identity passed to
reducer) | Optional + explanation |
| `GET .../schema` | No auth section | No permission check | Added
Optional section |
| `GET .../logs` | Required | Optional (ownership checked) | Optional +
explanation |
| `POST .../sql` | Required | Optional (RLS enforces access) | Optional
+ explanation |

Routes that genuinely require auth (`POST /v1/identity/websocket-token`,
`GET /v1/identity/:id/verify`) use `SpacetimeAuthRequired` and are
unchanged.

## Changes

- `authorization.md`: Added paragraph explaining anonymous access for
all `/v1/database` endpoints
- `database.md`: Changed `Required Headers` to `Optional Headers` for 8
endpoints, with per-endpoint explanations of anonymous behavior
- `database.md`: Added new `Optional Headers` section to `/schema`
endpoint (previously undocumented)

---------

Signed-off-by: Zeke Foppa <196249+bfops@users.noreply.github.com>
Co-authored-by: clockwork-labs-bot <clockwork-labs-bot@users.noreply.github.com>
Co-authored-by: Zeke Foppa <196249+bfops@users.noreply.github.com>

Author: clockwork-labs-bot

docs/docs/00300-resources/00200-reference/00200-http-api/00100-authorization.md

@@ -16,6 +16,8 @@ Alternately, a new identity and token will be generated during an anonymous conn
 
 Many SpacetimeDB HTTP endpoints either require or optionally accept a token in the `Authorization` header. SpacetimeDB authorization headers are of the form `Authorization: Bearer ${token}`, where `token` is an [OpenID Connect](https://openid.net/developers/how-connect-works/) compliant [JSON Web Token](https://jwt.io/), such as the one returned from [the `POST /v1/identity` HTTP endpoint](./00200-identity.md#post-v1identity).
 
+All `/v1/database` endpoints support anonymous access. If no `Authorization` header is provided, SpacetimeDB will allocate a new anonymous identity for the request. Anonymous requests can access public information (database info, schemas, names) and can call reducers or run SQL queries, but will only have access to public tables and will be rejected when attempting privileged operations like deleting a database or viewing logs.
+
 # Top level routes
 
 | Route                         | Description                                            |

docs/docs/00300-resources/00200-reference/00200-http-api/00200-identity.md

@@ -61,28 +61,6 @@ Fetches the public key used by the database to verify tokens.
 
 Returns a response of content-type `application/pem-certificate-chain`.
 
-## `POST /v1/identity/:identity/set-email`
-
-Associate an email with a Spacetime identity.
-
-#### Parameters
-
-| Name        | Value                                     |
-| ----------- | ----------------------------------------- |
-| `:identity` | The identity to associate with the email. |
-
-#### Query Parameters
-
-| Name    | Value             |
-| ------- | ----------------- |
-| `email` | An email address. |
-
-#### Required Headers
-
-| Name            | Value                                                                         |
-| --------------- | ----------------------------------------------------------------------------- |
-| `Authorization` | A Spacetime token [encoded as Basic authorization](./00100-authorization.md). |
-
 ## `GET /v1/identity/:identity/databases`
 
 List all databases owned by an identity.

docs/docs/00300-resources/00200-reference/00200-http-api/00300-database.md

@@ -30,12 +30,14 @@ Publish a new database with no name.
 
 Accessible through the CLI as `spacetime publish`.
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+If no `Authorization` header is provided, a new anonymous identity will be created and will own the new database. This is generally not what you want.
+
 #### Data
 
 A WebAssembly module in the [binary format](https://webassembly.github.io/spec/core/binary/index.html).
@@ -63,12 +65,14 @@ Accessible through the CLI as `spacetime publish`.
 | ------- | --------------------------------------------------------------------------------- |
 | `clear` | A boolean; whether to clear any existing data when updating an existing database. |
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+If no `Authorization` header is provided, a new anonymous identity will be created. When updating an existing database, the token must correspond to the database's owner, or the request will be rejected.
+
 #### Data
 
 A WebAssembly module in the [binary format](https://webassembly.github.io/spec/core/binary/index.html).
@@ -123,12 +127,14 @@ Delete a database.
 
 Accessible through the CLI as `spacetime delete <identity>`.
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+Deleting a database requires ownership. If no `Authorization` header is provided, the request will be treated as anonymous and will be rejected.
+
 ## `GET /v1/database/:name_or_identity/names`
 
 Get the names this database can be identified by.
@@ -147,12 +153,14 @@ where `<names>` is a JSON array of strings, each of which is a name which refers
 
 Add a new name for this database.
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+If no `Authorization` header is provided, the request will be treated as anonymous.
+
 #### Data
 
 Takes as the request body a string containing the new name of the database.
@@ -180,12 +188,14 @@ If the new name already exists but the identity provided in the `Authorization`
 
 Set the list of names for this database.
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+Setting names requires ownership of the database. If no `Authorization` header is provided, the request will be treated as anonymous and will be rejected.
+
 #### Data
 
 Takes as the request body a list of names, as a JSON array of strings.
@@ -249,12 +259,14 @@ Invoke a reducer in a database.
 | ---------- | ------------------------------------- |
 | `:reducer` | The name of the reducer OR procedure. |
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+If no `Authorization` header is provided, the request will be treated as anonymous. The caller's identity is passed to the reducer via its `ReducerContext`, and the module may accept or reject the call based on that identity.
+
 #### Data
 
 A JSON array of arguments to the reducer.
@@ -271,6 +283,14 @@ Accessible through the CLI as `spacetime describe <name_or_identity>`.
 | --------- | ------------------------------------------------ |
 | `version` | The version of `RawModuleDef` to return, e.g. 9. |
 
+#### Optional Headers
+
+| Name            | Value                                                                               |
+| --------------- | ----------------------------------------------------------------------------------- |
+| `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
+
+No authorization is required to fetch a database's schema. If an `Authorization` header is provided, the response will include `spacetime-identity` and `spacetime-identity-token` headers echoing the caller's identity. If omitted, a new anonymous identity will be allocated for this purpose.
+
 #### Returns
 
 Returns a `RawModuleDef` in JSON form.
@@ -409,12 +429,14 @@ Accessible through the CLI as `spacetime logs <name_or_identity>`.
 | `num_lines` | Number of most-recent log lines to retrieve.                    |
 | `follow`    | A boolean; whether to continue receiving new logs via a stream. |
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+Viewing logs requires ownership of the database. If no `Authorization` header is provided, the request will be treated as anonymous and will be rejected.
+
 #### Returns
 
 Text, or streaming text if `follow` is supplied, containing log lines.
@@ -425,12 +447,14 @@ Run a SQL query against a database.
 
 Accessible through the CLI as `spacetime sql <name_or_identity> <query>`.
 
-#### Required Headers
+#### Optional Headers
 
 | Name            | Value                                                                               |
 | --------------- | ----------------------------------------------------------------------------------- |
 | `Authorization` | A Spacetime token [as Bearer auth](./00100-authorization.md#authorization-headers). |
 
+If no `Authorization` header is provided, the request will be treated as anonymous and will only have access to public tables. The caller's identity is used to enforce row-level security policies.
+
 #### Data
 
 SQL queries, separated by `;`.