diff --git a/core/src/main/java/google/registry/request/auth/Auth.java b/core/src/main/java/google/registry/request/auth/Auth.java
index 5bd7f25b9..901107310 100644
--- a/core/src/main/java/google/registry/request/auth/Auth.java
+++ b/core/src/main/java/google/registry/request/auth/Auth.java
@@ -30,16 +30,14 @@ public enum Auth {
    * <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still
    * granted, but NOT_AUTHENTICATED is returned.
    *
-   * <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
-   *
-   * <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) also use it.
-   * They need to allow requests from signed-out users so that they can redirect users to the login
-   * page. After a user is logged in, they check if the user actually has access to the specific
-   * console using {@link AuthenticatedRegistrarAccessor}.
+   * <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) use it. They
+   * need to allow requests from signed-out users so that they can redirect users to the login page.
+   * After a user is logged in, they check if the user actually has access to the specific console
+   * using {@link AuthenticatedRegistrarAccessor}.
    *
    * @see HtmlAction
    */
-  AUTH_PUBLIC(
+  AUTH_PUBLIC_LEGACY(
       ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.NONE, UserPolicy.PUBLIC),
 
   /**
@@ -52,6 +50,13 @@ public enum Auth {
   AUTH_PUBLIC_LOGGED_IN(
       ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),
 
+  /**
+   * Allows anyone to access.
+   *
+   * <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
+   */
+  AUTH_PUBLIC(ImmutableList.of(AuthMethod.API), AuthLevel.NONE, UserPolicy.PUBLIC),
+
   /**
    * Allows only the app itself (via service accounts) or admins to access.
    *
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
index a92dd02c8..d4e7bf708 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
@@ -53,7 +53,7 @@ import javax.inject.Named;
     service = Action.Service.DEFAULT,
     path = ConsoleOteSetupAction.PATH,
     method = {Method.POST, Method.GET},
-    auth = Auth.AUTH_PUBLIC)
+    auth = Auth.AUTH_PUBLIC_LEGACY)
 public final class ConsoleOteSetupAction extends HtmlAction {
 
   public static final String PATH = "/registrar-ote-setup";
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
index 6591a0804..e80e149ce 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
@@ -63,7 +63,7 @@ import org.joda.money.CurrencyUnit;
     service = Service.DEFAULT,
     path = ConsoleRegistrarCreatorAction.PATH,
     method = {Method.POST, Method.GET},
-    auth = Auth.AUTH_PUBLIC)
+    auth = Auth.AUTH_PUBLIC_LEGACY)
 public final class ConsoleRegistrarCreatorAction extends HtmlAction {
 
   private static final int PASSWORD_LENGTH = 16;
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
index b9a244266..9de381ba4 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@@ -41,7 +41,10 @@ import java.util.Optional;
 import javax.inject.Inject;
 
 /** Action that serves Registrar Console single HTML page (SPA). */
-@Action(service = Action.Service.DEFAULT, path = ConsoleUiAction.PATH, auth = Auth.AUTH_PUBLIC)
+@Action(
+    service = Action.Service.DEFAULT,
+    path = ConsoleUiAction.PATH,
+    auth = Auth.AUTH_PUBLIC_LEGACY)
 public final class ConsoleUiAction extends HtmlAction {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
index 00216a1a2..c1a455fd7 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
@@ -34,7 +34,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.DEFAULT,
     path = RegistryLockVerifyAction.PATH,
-    auth = Auth.AUTH_PUBLIC)
+    auth = Auth.AUTH_PUBLIC_LEGACY)
 public final class RegistryLockVerifyAction extends HtmlAction {
 
   public static final String PATH = "/registry-lock-verify";
diff --git a/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt b/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
index 2d832632a..b5a3a704d 100644
--- a/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
+++ b/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
@@ -1,13 +1,13 @@
 PATH                 CLASS                      METHODS  OK AUTH_METHODS MIN  USER_POLICY
 /_dr/whois           WhoisAction                POST     n  API          APP  ADMIN
-/check               CheckApiAction             GET      n  API,LEGACY   NONE PUBLIC
-/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/domains        RdapDomainSearchAction     GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/entities       RdapEntitySearchAction     GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/help(*)        RdapHelpAction             GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/ip/(*)         RdapIpAction               GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  API,LEGACY   NONE PUBLIC
-/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  API,LEGACY   NONE PUBLIC
-/whois/(*)           WhoisHttpAction            GET      n  API,LEGACY   NONE PUBLIC
+/check               CheckApiAction             GET      n  API          NONE PUBLIC
+/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  API          NONE PUBLIC
+/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  API          NONE PUBLIC
+/rdap/domains        RdapDomainSearchAction     GET,HEAD n  API          NONE PUBLIC
+/rdap/entities       RdapEntitySearchAction     GET,HEAD n  API          NONE PUBLIC
+/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  API          NONE PUBLIC
+/rdap/help(*)        RdapHelpAction             GET,HEAD n  API          NONE PUBLIC
+/rdap/ip/(*)         RdapIpAction               GET,HEAD n  API          NONE PUBLIC
+/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  API          NONE PUBLIC
+/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  API          NONE PUBLIC
+/whois/(*)           WhoisHttpAction            GET      n  API          NONE PUBLIC