I've tried to access https://archive.internal.softwareheritage.org/api/1/graph/stats/ and I got Authentication credentials were not provided..
Would it be possible to lift the requirement of having an auth token (and an authorized user) for accessing /graph endpoints when coming from the VPN?
(Only team members have VPN access, so it should be safe to consider them trusted for this one.)