Nonces and Ajax request to REST API and verification

Building my first WordPress in over a decade… using Timber for MVC. Vue on the frontend, and Axios for ajax posts. All hosted on the same domain, so I can use cookies for authentication.

I am enqueuing Axios – and setting up a nonce as a local variable which I pick up in my Vue and use to set the header when posting through Axios.

I have a number of custom API routes registered eg:

I’m puzzled because I can hit these endpoints with and without a NONCE (amuses me because I’m British).

If I pass the nonce header – it checks the nonce and runs the function if ok, rejects if not ok.
If I don’t pass the nonce header, it doesn’t check the nonce, yet still runs the function…

I read in the documentation:

https://developer.wordpress.org/rest-api/using-the-rest-api/authentication/

“Note that you do not need to verify that the nonce is valid inside your custom endpoint. This is automatically done for you in”

So, if the endpoint is already doing the verification, surely it should fail if no nonce is present?

Does this mean that rest endpoints do not automatically check the validity of the nonce, and I should check the validity within the function myself?

Also – some pages heavily use AJAX to interact with these custom endpoints. With each AJAX request, the nonce becomes invalid, breaking future AJAX requests (I’m using POST).

I assumed that I need to generate a new nonce in the function that receives the AJAX request and returns this new nonce to the browser so I can post the new nonce on the header of the next AJAX request.

I can see the new nonce returned in my console… I used it to update the header in my next request – but the nonce fails despite being new?

Any advice on the correct way to use NONCES would be much appreciated. Thanks!