Hiding API documentation from users that use the application is therefore little use.
@authenticated annotation in the source code. An attacker could request
GET /accountinfo/<account-ID>/. This sort of thing is not uncommon.)
You can withhold the documentation on a need-to-know basis, but don’t get a false sense of security: endpoints are not secrets; authentication tokens are.