What permissions are required to be set for Firewall extension?

I noticed a lot of these errors in the ConfigAndLog:

Nov 09 08:56:23  [error] 
$Fatal Error Details = array(3) {
  ["message"]=>
  string(20) "Authorization failed"
  ["code"]=>
  NULL
  ["exception"]=>
  object(Civi\API\Exception\UnauthorizedException)#1537 (8) {
    ["extraParams":"API_Exception":private]=>
    array(1) {
      ["error_code"]=>
      string(12) "unauthorized"
    }
    ["message":protected]=>
    string(20) "Authorization failed"
    ["string":"Exception":private]=>
    string(0) ""
    ["code":protected]=>
    int(0)
    ["file":protected]=>
    string(64) "/var/www/powerbase/sites/all/modules/civicrm/Civi/API/Kernel.php"
    ["line":protected]=>
    int(221)
    ["trace":"Exception":private]=>
    array(17) {
      [0]=>
      array(6) {
        ["file"]=>
        string(64) "/var/www/powerbase/sites/all/modules/civicrm/Civi/API/Kernel.php"
        ["line"]=>
        int(148)
        ["function"]=>
        string(9) "authorize"
        ["class"]=>
        string(15) "Civi\API\Kernel"
        ["type"]=>
        string(2) "->"
        ["args"]=>
        array(2) {
          [0]=>
          object(Civi\Api4\Provider\ActionObjectProvider)#1408 (0) {
          }
          [1]=>
          object(Civi\Api4\Generic\DAOCreateAction)#10 (14) {
            ["values":protected]=>
            array(3) {
              ["ip_address"]=>
              string(13) "50.87.253.134"
              ["source"]=>
              string(13) "invalid token"
              ["event_type"]=>
              string(16) "InvalidCSRFEvent"
            }
            ["version":protected]=>
            int(4)
            ["chain":protected]=>
            array(0) {
            }
            ["checkPermissions":protected]=>
            bool(true)
            ["debug":protected]=>
            bool(false)
            ["_entityName":protected]=>
            string(17) "FirewallIpaddress"
            ["_actionName":protected]=>
            string(6) "create"
            ["_reflection":"Civi\Api4\Generic\AbstractAction":private]=>
            object(ReflectionClass)#1543 (1) {
              ["name"]=>
              string(33) "Civi\Api4\Generic\DAOCreateAction"
            }
            ["_paramInfo":"Civi\Api4\Generic\AbstractAction":private]=>
            NULL
            ["_entityFields":"Civi\Api4\Generic\AbstractAction":private]=>
            NULL
            ["_arrayStorage":"Civi\Api4\Generic\AbstractAction":private]=>
            array(0) {
            }
            ["_id":"Civi\Api4\Generic\AbstractAction":private]=>
            int(1)
            ["_debugOutput"]=>
            array(0) {
            }
            ["language":protected]=>
            NULL
          }
        }
      }

The errors seem to be from the Api4 handler refusing to insert an IP address into the civicrm_firewall_ipaddress table due to permission problems.

I then tried to run the code manually via the cv command:

www-data@333f090f552b:~/powerbase$ cv php:eval '\Civi\Firewall\Event\FraudEvent::trigger("1.2.3.4", "my helpful description");'

                                              
  [Civi\API\Exception\UnauthorizedException]  
  Authorization failed                        
                                              

php:eval [--out OUT] [--level LEVEL] [-t|--test] [-U|--user USER] [--] [<code>]

www-data@333f090f552b:~/powerbase$

As a silly experiment I granted the anonymous use "Admin CiviCRM" permissions (on my development instance) and then it worked fine.

So, I'm clearly doing something wrong but I'm not sure what.