Public vs Authenticated Access

All requests require x-tenant-id. Bearer tokens are only required for authenticated operations.

Access Matrix

Resource	Public routes	Authenticated routes
`event`	`get`, `list`	`create`, `update`, `remove`, `feature`, `like`, performance
`admission`	`get`, `list`	`create`, `update`, `remove`, `quote`
`section`	`get`, `list`	`create`, `update`, `remove`
`venue`	`get`, `list`	`create`, `update`, `remove`, `linkLocation`, `unlinkLocation`
`tenant`	`config`, `regions`	—
`team`	`get`	`list`, `create`, `update`, `remove`, performance
`promoter`	`get`	`list`, `create`, `update`, `remove`, performance
`order`	`get`, `quote`, `create`, `update`, `reserve`	`list`, `resend`, `refund`, notes
`ticket`	`list`	`get`, `create`, `update`, `scan`
`analytics`	`track`, `page`, `identify`, `alias`, `group`, `screen`	same routes available with auth context
`coupon`	—	`get`, `list`, `create`, `update`, `remove`, `code.*`
`location`	—	`get`, `list`
`payout` / `beneficiary` / `internal`	—	authenticated only

Some public routes are intentionally available for checkout/confirmation flows, but still require signatures:

order.update requires signature
order.reserve requires signature
ticket.list with orderId requires either bearer permission or orderSignature

Use public routes for storefront rendering and checkout initiation. Use bearer-auth routes for management, operations, and back-office workflows.