Public vs Private APIs

Just getting to grips with server-less architecture and authorisation.
I can understand a private API say on AWS, the client software getting a token from Auth0 after the user has logged in and accessing those resources, controlled by having that token.
I can also understand having a public API on AWS that is accessible to anyone for particular services direct to the API.
What I am wondering about for API services used by the client software for any user on a public website whether that access needs to be secured. If so how do you go about treating a token for that - do you create a special token for it or get a special account on Auth0 and somehow get a token from them?