AFAICT there's nothing in the AT Protocol docs that makes it clear which endpoints require authentication and which ones do not, nor does it appear in any of the lexicons spec files.
The two lists I'm maintaining (GET requests, POST requests) I painstakingly built by hand by hitting every single one just to see if they would throw a 401. That isn't really sustainable.
That could be built-in to the conversion or added as a separate follow-up script, though. Hit every path with an unauthenticated request and see if it returns a 401. Could also use this process to remove the endpoints currently returning 404 because they have not been implemented yet.