capire · samyuktaprabhu · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -114,10 +114,6 @@ As the mock user authentication is active, all (CAP) endpoints are [authenticate
 
 <div class="impl java">
 
-::: tip
-To simplify the development scenario, you can set <Config java>cds.security.authentication.mode = "model-relaxed"</Config> to deactivate authentication of endpoints derived from unrestricted CDS services.
-:::
-
 If you stay with the standard authentication mode, sending the OData request results in a `401` error response from the server, indicating that the anonymous user has been rejected due to missing authentication.
 
 ```sh
@@ -280,7 +276,7 @@ MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='vi
 
 <div class="impl node">
 
-```
+```sh
 [basic] - authenticated: { user: 'viewer-user', tenant: 'CrazyCars', features: [ 'cruise', 'park' ] }
 ```
 
@@ -755,7 +751,7 @@ IAS offers a cross-consumption mode that allows IAS users to consume legacy XSUA
 
 ::: tip
 In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. 
-::: 
+:::
 
 You can best configure and test XSUAA authentication in the Cloud, so let's enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF).
 

@@ -91,11 +91,11 @@ The property `cds.security.authentication.mode` controls the strategy used for a
 | :---------------------------------------------------- | :----------------------------------------------------- |
 | `never` | No endpoint requires authentication. All protocol-adapter endpoints are considered public.
 | `model-relaxed` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is considered public.
-| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public (Default).
+| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public.
 | `always` | All endpoints require authentication.
 
-By default the authentication mode is set to `model-strict` to comply with secure-by-default.
-In that case you can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again.
+When the auth mode is explicitly configured, it takes precedence. When it is not configured, the mode is derived automatically i.e. `model-relaxed` if mock users are enabled (local development), `model-strict` otherwise (production).
+But, one can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again.
 You can only make an endpoint public if the full endpoint path is also considered public.
 For example you can only make an entity public, if the service that contains it is also considered public.