Just reading the spec bud01 there is an optional authorization method: The server may optionally require authorization when retrieving blobs from GET /sha256, returning 401 if not properly authorized