diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 73071aa8df..a3a482c6e5 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -945,7 +945,6 @@ func Routes() *web.Route {
 		// Users (requires user scope)
 		m.Group("/users", func() {
 			m.Group("/{username}", func() {
-				m.Get("/keys", user.ListPublicKeys)
 				m.Get("/gpg_keys", user.ListGPGKeys)
 
 				m.Get("/followers", user.ListFollowers)
@@ -960,6 +959,13 @@ func Routes() *web.Route {
 			}, context.UserAssignmentAPI())
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())
 
+		// Users SSH keys (publicly readable)
+		m.Group("/users", func() {
+			m.Group("/{username}", func() {
+				m.Get("/keys", user.ListPublicKeys)
+			}, context.UserAssignmentAPI())
+		})
+
 		// Users (requires user scope)
 		m.Group("/user", func() {
 			m.Get("", user.GetAuthenticatedUser)
diff --git a/routers/api/v1/user/key.go b/routers/api/v1/user/key.go
index d9456e7ec6..b70fbf6d66 100644
--- a/routers/api/v1/user/key.go
+++ b/routers/api/v1/user/key.go
@@ -7,6 +7,7 @@ import (
 	std_ctx "context"
 	"fmt"
 	"net/http"
+	"strings"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/db"
@@ -89,8 +90,16 @@ func listPublicKeys(ctx *context.APIContext, user *user_model.User) {
 	apiKeys := make([]*api.PublicKey, len(keys))
 	for i := range keys {
 		apiKeys[i] = convert.ToPublicKey(apiLink, keys[i])
-		if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID {
-			apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user)
+		if ctx.Doer != nil {
+			if ctx.Doer.IsAdmin || ctx.Doer.ID == keys[i].OwnerID {
+				apiKeys[i], _ = appendPrivateInformation(ctx, apiKeys[i], keys[i], user)
+			}
+		} else {
+			// unauthenticated requests will not receive the title property
+			// to preserve privacy
+			apiKeys[i].Title = ""
+			// the key comment is truncated to preserve privacy
+			apiKeys[i].Key = strings.Join(strings.Split(apiKeys[i].Key, " ")[:2], " ")
 		}
 	}