You could authorize an SSL mutual auth client to call it (openidm-cert role).
Or if you’re really okay to have it open to anyone, you could authorize the anonymous user to call it.
If you truly must have it callable without setting any headers etc then it might get a bit less out of the box, e.g. writing a servlet filter to satisfy a configured auth module.
Just some options
Thanks for the replies. All good suggestions. We’re working with a monitoring solution that may or may not be able to provide headers in its requests so at this point I was trying to determine options from the OpenIDM side.