Here's the deal. When you do a curl for the endpoint services/server/info on a search head, it includes information like the license key and it doesn't require any auth. no token, no user:pass, nothing.
All other endpoints require auth, but not the info one. I would like to disable or at least mask certain fields, but I can't see any where in the docs where it is even mentioned other than a description of the endpoint.