It's a shame it's "authentication protected" as it doesn't give out any confidential information and it's something that could be cached either on their frontend servers or on proxy servers/CDNs: as it is, they are probably using up more computing power authenticating the API token then they would just leaving it open and catchable (especially since it changes at the same time everyday - easy enough to set cache headers). Turns out, that endpoint isn't actually restricted by API keys - so you can access it without authentication (although the Expires: setting is only a minute into the future so not that cachable)