+1
I ran into an issue with this when setting-up my SearXNG instance, I use Authelia to protect all of my self-hosted services, and it looks like browsers don't re-use that authentication session when doing opensearch requests (opensearch.xml, autocomplete, etc.) so as a work-around I had to disable authentication on the opensearch.xml path (To allow easily adding the search engine, i don't want unauthed autocomplete access)