There will be some more documentation here regarding Authorization soon.
This project/code is agnostic as to how you provide authorization for your API.
It’s expected that you may need to extend the Api Controller to provide authorization and/or role/scope based access.