Looks great, looking forward to exploring this further!
Not sure - you’re probably just not enforcing it yet but I was able to create a test note without the auth token.
Yes that’s right, some calls are for now whitelisted to allow the web clipper to work without an authorisation step. That step might be implemented later on. These are the whitelisted calls: