This makes sense since Authentication happens before Authorization. Please note that IS does have the ability to validate a JWT if that is a path you want to take. Refer Configuring Integration Server to Use JWT
If you have a service with anonymous execute ACL , you could also try not passing any credentials/header to invoke it.
Linking to similar discussion from a couple of years ago. You might find this interesting