How do I make API routes accessible without login?

Question

In security.yml I have defined below:

access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/getDays, roles: IS_AUTHENTICATED_ANONYMOUSLY }        
    # - { path: ^/admin, roles: ROLE_ADMIN }
    - { path: ^/, roles: ROLE_USER }
    - { path: ^/api, roles: PUBLIC_ACCESS }

But http://localhost:8000/api/search.json always redirects to login page

Answer 1

Once a route matches the pattern, the system halts the process and does not proceed further. So, your access_control applies the third line. Switch line 3 and 4, and it should work:

access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/getDays, roles: IS_AUTHENTICATED_ANONYMOUSLY }        
    # - { path: ^/admin, roles: ROLE_ADMIN }
    - { path: ^/api, roles: PUBLIC_ACCESS }
    - { path: ^/, roles: ROLE_USER }

Source: How Does the Security access_control Work?

For each incoming request, Symfony checks each access_control entry to find one that matches the current request. As soon as it finds a matching access_control entry, it stops - only the first matching access_control is used to enforce access.