[unqueued]

I was astonished when I noticed requests like this after I logged into a customer portal:

  curl 'https://hondalink.honda.com/api/VehicleFeatures/[VIN NUMBER]' -H 'hondaHeaderType.country_code: US' -H 'hondaHeaderType.language_code: en' -H 'Authorization: Basic [DIGEST]' -H 'Content-Type: application/json' -H 'Accept: application/json' -H 'Car-Type: HONDA' 

Not just are they using basic http auth, but it is silently ignored by the server. Try it yourself.

They clearly intended to impelement authentication on their API endpoints, but didn't finish it, becuase the client is sending an Authorization header. But I don't know if their servers are even configured to check them. And they should certainly use JWT instead of digest.