# Authentication

* All **customer-facing endpoints** require an authenticated session cookie. Pass it via the `X-Cookie` header when using Swagger UI.
* Public collection retrieval is open to anonymous users.