Authentication

All customer-facing endpoints require an authenticated session cookie. Pass it via the X-Cookie header when using Swagger UI.

Public collection retrieval is open to anonymous users.