An app's (or device's) custom http endpoints, which normally require an access token or bearer authorization code to access, ought to also be accessible with the same session cookie that the browser uses when talking to the Hubitat administrative web interface. I use Curl to upload code to the Hubitat. I have Curl POST the code along with the cookie that I copy from my browser after logging into the web interface. Then, for debugging, I use Curl to call my app's http endpoints and I inspect the result. At the moment, I have to keep track of an access token and have Curl pass the access token along with the http request to my app's http endpoints. It would be convenient if I could simply use the same cookie that I already am using for uploading the code.
Of course, during production, it wouldn't make much sense to use the session cookie to authenticate for the http endpoints, but this would be a valuable feature during debugging. Interestingly, SmartThings does allow the session cookie to be used to authenticate for accessing an app's custom http endpoints.