Clien id and secret not being enforced

I’m receiving a success response when i leave the client_id and client_secret empty. Can someone tell me if the raml is correct, or if i’m missing something? The only way i get an error response is if i add a minlength requirment.

#%RAML 1.0
title: Test

description: testing cloudhub

/something:
  get:
    headers:
      client_id:
        type: string
        required: true
      client_secret:
        type: string
        required: true
    responses:
      401:
        description: Unauthorized or invalid client application credentials
        body:
          application/json:
            example:
              {
                "Error": "You done messed up"
              }
      500:
        description: Bad response from authorization server, or WSDL SOAP Fault error
        body:
          application/json:
            example:
              {
                "Error": "We done messed up"
              }
      200:
        body:
          application/json:
            example:
              {
                "hello" : "goodbye"
                  }