If possible, is there an auth_token that I can send with the image request to show the image to a non-authenticated user?
please tell us more about your use case and your environment. Do you have guest access enabled?
If you have access to a document, you should have access to an embedded image. If this image is only linked from another place which requires membership or is secret this behaviour you have seen would make sense.