authentication – Strategies for segregating anonymous and secure access to APIs

Traditionally, we used either path-based access control or a separate DNS for public and private content segregation. In the modern era of standard-based auth, what are the best auth strategies for segregating anonymous and secure access to APIs?

  1. If OAuth 2 is used to auth APIs (exposed via a single DNS), how can APIs that do not require authentication be effectively separated?
  2. How would authorization work between anonymous and secure queries in the case of a GraphQL API?