Hi, 
  This is because all the services are protected under Basic access authentication, if your using postman or rest client set the Basic Auth in Header  or if you want to access from browser you need to add com.liferay.headless.delivery.internal.resource.v1_0.OpenAPIResourceImpl#getOpenAPI in SYSTEM_DEFAULT (Service Access Policy)

Solution 1: As per @MohammedYasin's response, you should add the "Authorization" header as in the example bellow (I'm using Postman):

Solution 2: disable the authentication for your module. For this, follow the https://help.liferay.com/hc/en-us/articles/360021024071-Making-Authenticated-Requests- details. Keep in mind that their example (com.liferay.headless.delivery.internal.jaxrs.application.HeadlessDeliveryApplication-default.config) is for the component from their example. The real name of the config file should be in regard with what you have defined. For example, if your Class is PdfGeneratorApplication and is in PdfGenerator.application package, the your config file should be named PdfGenerator.application.PdfGeneratorApplication-default.config with the following content:

oauth2.scopechecker.type="none"
auth.verifier.auth.verifier.BasicAuthHeaderAuthVerifier.urls.includes="*"
auth.verifier.auth.verifier.OAuth2RestAuthVerifier.urls.includes="*"
auth.verifier.guest.allowed="true"

 

Please refer this. https://learn.liferay.com/dxp/latest/en/headless-delivery/consuming-apis/making-unauthenticated-requests.html

you need to create a service access policy.