Access control for frigate clips in notifications

HA runs in a local machine as http://hass:8123, available externally via https://mydomain.com and my home router’s nginx does https->http. Authentication on HASS works, all good.

Now, I got frigate and Frigate Notifications (0.14.0.3h) blueprint. It does send notifications fine and includes urls like https://mydomain.com/api/frigate/notifications/1749714141.734479-v6q67y/driveway/clip.mp4 which do play fine.

What bothers me is that accessing https://mydomain.com/ requires authentication (which is good) but playing the clip does NOT - how to make it ask for login/password before showing the clip? Did I misconfigured something?

The network/auth related config is this:

http:
   use_x_forwarded_for: true
   trusted_proxies:
     - 192.168.10.201
homeassistant:
  auth_providers:
    - type: homeassistant

I can do passwords on nginx but this feels like a HA problem as the URL points to HA and even if redirects - it should still authenticate the user, no?