The bearer token routes are the ones that you will not be able to just simply view in the browser directly. They are usually called from a node's config panel back to its route that was added to RED.httpAdmin and then protected with middleware RED.auth.needsPermission. The editor automatically patches the ajax requests with the necessary headers.
The /settings is an API endpoint used by the application. It isn't intended to be accessed directly by a user. It can only be accessed if the request includes the proper authentication header.
The editor is a full application. It copes with missing authentication information because it expects users to try accessing it and for them to need to login. Once they login, the editor knows how to include the proper authentication header when it makes requests to the api (such as to /settings).
Your browser does not know how to add the required headers by itself when you ask it to access the /settings route.
Thanks for taking the time to explain it in words I better understand.
I still don't get the whole inter-relationship of it all, but how you explained it is slightly easier for me to understand.
I am having enough problems with structures of messages and how to parse them.
At a program level - although probably the same - I am not going to say I understand it as poorly as I do at the message level.