The token just authenticates the request as coming from a specific user. You still need to use the permissions callback to check if that user has permission for whatever it is you’re doing. If you omit the permissions_callback
argument when registering the route then the route is public.
If you only need to check if there is a user, and not specific permissions, you could just use is_user_logged_in()
:
register_rest_route( 'v1/', 'info', array(
'methods' => 'GET',
'callback' => 'api_version',
'permissions_callback' => function() {
return is_user_logged_in();
},
) );