usually we use the OAuth2 security schema. but public endpoints
do not have this security constraint. callbacks don't authenticate
against the called endpoint.

For reference, the warning was (one example):

> Every operation should have security defined on it or on the root level.
>
> 418 | get:
>     | ^^^
> 419 |   operationId: get-destination-key
> 420 |   summary: Ruft einen JWK des Zustelldienstes ab
>
> Warning was generated by the security-defined rule.