1 files changed, 15 insertions, 7 deletions

diff --git a/internal/api/client/customemojis/customemojisget.go b/internal/api/client/customemojis/customemojisget.go
index c63445aef..9aa878274 100644
--- a/internal/api/client/customemojis/customemojisget.go
+++ b/internal/api/client/customemojis/customemojisget.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 
 	apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
+	"code.superseriousbusiness.org/gotosocial/internal/config"
 	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
 	"github.com/gin-gonic/gin"
 )
@@ -29,6 +30,8 @@ import (
 //
 // Get an array of custom emojis available on the instance.
 //
+// If the instance config setting `instance-expose-custom-emojis` is `true` then authentication is not required.
+//
 //	---
 //	tags:
 //	- custom_emojis
@@ -37,7 +40,8 @@ import (
 //	- application/json
 //
 //	security:
-//	- OAuth2 Bearer: []
+//	- OAuth2 Bearer:
+//		- read:custom_emojis
 //
 //	responses:
 //		'200':
@@ -53,12 +57,16 @@ import (
 //		'500':
 //			description: internal server error
 func (m *Module) CustomEmojisGETHandler(c *gin.Context) {
-	_, errWithCode := apiutil.TokenAuth(c,
-		true, true, true, true,
-	)
-	if errWithCode != nil {
-		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
-		return
+	// If custom emojis are not exposed to unauthed
+	// callers, fail if a token was not provided.
+	if !config.GetInstanceExposeCustomEmojis() {
+		if _, errWithCode := apiutil.TokenAuth(c,
+			true, true, true, true,
+			apiutil.ScopeReadCustomEmojis,
+		); errWithCode != nil {
+			apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
+			return
+		}
 	}
 
 	if _, err := apiutil.NegotiateAccept(c, apiutil.JSONAcceptHeaders...); err != nil {