I've noticed data access capabilities can switch back from non-token to token based security in some circumstances. In particular retracting all datasets with a given endpoint then republishing them brought them back as token-based endpoints.

I had used "esgpublish --gateway-retract" so I had assumed the gateway configuration would be retained. This can have serious user experience implications if it isn't noticed.