For server extension declarations in FFDL, I have seen variations both including and excluding the UNSECURED keyword as follows:
CREATE EXTENSION /ActivateUser UNSECURED AS javascript:require ('scripts/RegistrationExtension').activateUser();
CREATE EXTENSION /ChangePassword AS javascript:require ('scripts/PasswordExtension').changePassword();
What is the UNSECURED keyword used for? Most examples I have found simply exclude it.
Normally, a user needs to be logged in to hit a server extension, but when you specify UNSECURED this restriction is lifted and anonymous users can trigger the extension.