# API Authorization Status Matrix

| endpoint | method | token_used | observed_status | expected_boundary | evidence |
| --- | --- | --- | --- | --- | --- |
| https://witnessops.com/api/receipts | HEAD | no | 200 | public API endpoint exposes headers without credentials | evidence/endpoint-headers.txt |
| https://witnessops.com/api/admin/intake/reconciliation-report | HEAD | no | 401 | admin API endpoint requires authorization without credentials | evidence/endpoint-headers.txt |
| https://witnessops.com/api/receipts | GET | no | 200 | public API endpoint returns bounded public response | evidence/public-response.txt |

No credentials, bearer tokens, cookies, generated tokens, POST, PUT, DELETE, fuzzing, brute force, or bypass attempts were used.
