Please validate: SageMaker Endpoint URL Authentication/Authorization

Need validation:

• Once the SageMaker endpoint is deployed. It can be invoked with the Sagemaker Runtime API InvokeEndpoint OR it can be invoked using the endpoint URL+HTTP AZ headers (below).

• Successful deployment also exposes a URL (on the console) that has the format:

https://runtime.sagemaker.us-east-1.amazonaws.com/endpoints/ENDPOINT-NAME/invocations

What is the purpose of this URL (shown on console)?

In my understanding this URL Cannot be invoked w/o appropriate headers as then there will be a need to have globally unique endpoint name!! THAT IS to invoke this URL it needs to have the "HTTP Authorization headers" (refer: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html)

I have a customer who is concerned that anyone can invoke the URL even from the internet. Tried to do it and received the <MissingTokenException> so I know it can't be done but just want to ensure I have the right explanation. (Test with HTTP/AZ headers pending)