A general question: Am I right that the main difference between the API and the custom routes are that I have to code the custom routes myself and they are not protected by authorization while the API is always auth protected, even for simple, safe read operations on the cms content? I’m curious about this for some time because I wasn’t sure what’s the best way to offer a public (read- or insert-only limited) API for my Kirby 3 content.
The API always needs authentication, yes. With your custom routes, it’s up to you to authenticate, unless you use methods that need authentication (like updating etc, via a logged in user, or impersonation)