Auth tokens may be optional. They are defined here: docs/src/catalyst-standards/permissionless-auth/auth-header.md and docs/src/catalyst-standards/permissionless-auth/auth-token.cddl

IF a token is present, look up the chain root in the index DB for the current latest Role 0 Key present in the auth token.

An example of it being used by the API is here: catalyst-gateway/bin/src/service/api/cardano/cip36/endpoint.rs: 18:

_auth: NoneOrRBAC,

Each RBAC KeyChain is identified by a Chain Root. However, it is not a natural source of information for the front end.
The front end only knows the keys it is using.

The permissionless auth token includes a 16 byte hash of the Role 0 certificate, used to sign the token.
This is known as the KID.

The Service indexes the Role0 KeyID (16 byte hash) against the Chain root, in the chain_root_for_role0_key. See: catalyst-gateway/bin/src/db/index/schema/cql/chain_root_for_role0_key.cql for schema. AND catalyst-gateway/bin/src/db/index/queries/cql/get_role0_key_chain_root.cql for the query to get the data for it.

Using this table, and the KID, this task is to:

1. Look up the chain root for the KID. If it is not present, then return 403. (We don't know who they are).
2. Check if it is the LATEST KID for the chain root. If it is not, return 401. (We know who they are, but they used the wrong credential).
3. Get the cert for the KID, and then validate the token is correct.

See: catalyst-gateway/bin/src/service/common/auth/rbac/scheme.rs:136 for where this code needs to be inserted.
There should be a function here which does the above logic.