These notes are specifically from the point of view of the Wellcome Library's current auth requirements, to see how the current proposed IIIF services fit.
The Wellcome Library does not support degraded access on the image service. You're either authorised or you're not. For certain otherwise protected content, it allows a thumbnail to be served to anonymous users - but will provide that as the "thumbnail" property of the canvas, not as a size degredation on the image service. This "thumbnail" property might be a URI, ot it might be an image service - see other gist. This means that viewers should use the "thumbnail" to get thumbnails.
The Image API spec adds a login service to the info.json:
{
"service" : {
"@id": "http://authentication.example.org/login",