This spec does not govern how one might authenticate or authorize clients of the v2 Images API. Implementors are free to decide how to identify clients and what authorization rules to apply.
Note that the HTTP status codes 401 and 403 are included in this specification as valid response codes.