According to https://datatracker.ietf.org/doc/html/rfc7617#autoid-3 , specification of the realm parameter is REQUIRED, so making realm optional here

and at related places, is misleading and makes it easy to create non-conforming APIs. It bit me when a Shelly device refused (rightfully) to authenticate against the API which was using the default (missing) realm behavior.