AppSync does not natively support unauthenticated API calls, but there are three methods to implement them: using API keys, Lambda authorizers with shared secrets, or AWS IAM with Cognito Identity Pool. Each method has its pros and cons, including ease of setup, control over access, cost implications, and scalability concerns. A detailed comparison helps in choosing the best approach for unauthenticated GraphQL operations.