If you request a url that doesn't require authentication (for example /1/user/(user_name)/listens), but you also provide an Authorization header with invalid data, you get the information that you requested.

I'm not sure if it makes sense to validate this data on public endpoints or not. Thoughts?

One potential reason to verify on all requests is if we have a separate rate limit rate for authorised clients...