Document what type of Auth can be in each endpoint

[hunterowens]

Currently, provider/auth.md doesn't show what endpoints can be covered with what types of limits / auth.

Proposal:

provider/auth.md show that GBFS endpoints should be open to the public, while /trips/ and /status_changes can be restricted to a municipality.

For open to the public, there is a question of allowing companies to rate limit queries to that endpoint.

[black-tea]

I like this suggestion, though I'm curious the extent to which we would be setting policies on the GBFS endpoint. I think that that question falls into the same territory as imposing pagination restrictions, which @thekaveman has suggested should be left to NABSA

[hunterowens]

I think NABSA is fairly clear that GBFS should be made open, IIRC.