There are some scenarios where the customer might want to just expose the Backend API and
track the usage (with rate limiting) rate limit it, without adding an authentication mechanism.
A policy should be able to fill in missing credentials for unauthenticated requests.
The policy configuration should have have option to select user_key / app_id+app_key and fill a value.
Then any request with missing credentials will get these by default.
This is effectively authenticating every client with some default app that can have some limits or not and can track aggregated usage.