diff --git a/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/JWTSecurityConfig.kt b/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/JWTSecurityConfig.kt
index ebe8c1a..32cd238 100644
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/JWTSecurityConfig.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/conf/JWTSecurityConfig.kt
@@ -11,9 +11,8 @@ class JWTSecurityConfig : WebSecurityConfigurerAdapter() {
         http.cors()
             .and()
                 .authorizeRequests()
-                    .anyRequest()
-                        .permitAll()
-//                        .hasAuthority("SCOPE_profile")
+                    .antMatchers("/api/private/**").authenticated()
+                    .anyRequest().permitAll()
 //            .and()
 //                .oauth2ResourceServer()
 //                    .jwt()
diff --git a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/TravelRestController.kt b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateTravelRestController.kt
similarity index 85%
rename from src/main/kotlin/eu/fosil/okupamicoche/spring/controller/TravelRestController.kt
rename to src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateTravelRestController.kt
index 1d6f70d..b704656 100644
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/TravelRestController.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateTravelRestController.kt
@@ -12,11 +12,10 @@ import org.springframework.data.repository.findByIdOrNull
 import org.springframework.validation.annotation.Validated
 import org.springframework.web.bind.annotation.*
 
-
 @RestController
-@RequestMapping("/api/travel")
+@RequestMapping("/api/private/travel")
 @CrossOrigin(origins = ["http://localhost:4200"])
-class TravelRestController(
+class PrivateTravelRestController(
     private val userRepository: UserRepository,
     private val travelRepository: TravelRepository
 ) : ApiRestController {
@@ -56,21 +55,6 @@ class TravelRestController(
         }
     }
 
-    @RequestMapping("/list")
-    fun listTravels(
-        @RequestParam @Validated filter: String?
-    ): ApiResponse<TravelListDto> {
-        return response {
-            val travels = if ((filter == null) || (filter.isEmpty()))
-                ListTravels(travelRepository).listTravels().map { t -> TravelDto(t) }
-            else
-                ListTravels(travelRepository).listTravels(
-                    filter, SORT_ASCENDING, 0, 20
-                ).map { t -> TravelDto(t) }
-            TravelListDto(travelRepository.count(), travels)
-        }
-    }
-
     @RequestMapping("/listusertravels")
     fun listUserTravels(): ApiResponse<TravelListDto> {
         return response {
diff --git a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/UserRestController.kt b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateUserRestController.kt
similarity index 93%
rename from src/main/kotlin/eu/fosil/okupamicoche/spring/controller/UserRestController.kt
rename to src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateUserRestController.kt
index 5e89320..3bc9e80 100644
--- a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/UserRestController.kt
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PrivateUserRestController.kt
@@ -13,9 +13,9 @@ import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
-@RequestMapping("/api/user")
+@RequestMapping("/api/private/user")
 @CrossOrigin(origins = ["http://localhost:4200"])
-class UserRestController(private val userRepository: UserRepository) : ApiRestController {
+class PrivateUserRestController(private val userRepository: UserRepository) : ApiRestController {
 
     @RequestMapping("/create")
     fun createUser(@RequestBody @Validated createUserDto: CreateUserDto): ApiResponse<Unit> {
diff --git a/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PublicRestController.kt b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PublicRestController.kt
new file mode 100644
index 0000000..deef72a
--- /dev/null
+++ b/src/main/kotlin/eu/fosil/okupamicoche/spring/controller/PublicRestController.kt
@@ -0,0 +1,34 @@
+package eu.fosil.okupamicoche.spring.controller
+
+import eu.fosil.okupamicoche.dto.TravelDto
+import eu.fosil.okupamicoche.dto.TravelListDto
+import eu.fosil.okupamicoche.entities.ApiResponse
+import eu.fosil.okupamicoche.repositories.TravelRepository
+import eu.fosil.okupamicoche.usecases.travel.ListTravels
+import eu.fosil.okupamicoche.usecases.travel.SORT_ASCENDING
+import org.springframework.validation.annotation.Validated
+import org.springframework.web.bind.annotation.CrossOrigin
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RequestParam
+import org.springframework.web.bind.annotation.RestController
+
+@RestController
+@RequestMapping("/api/public")
+@CrossOrigin(origins = ["http://localhost:4200"])
+class PublicRestController(private val travelRepository: TravelRepository) : ApiRestController {
+
+    @RequestMapping("/list")
+    fun listTravels(
+        @RequestParam @Validated filter: String?
+    ): ApiResponse<TravelListDto> {
+        return response {
+            val travels = if ((filter == null) || (filter.isEmpty()))
+                ListTravels(travelRepository).listTravels().map { t -> TravelDto(t) }
+            else
+                ListTravels(travelRepository).listTravels(
+                    filter, SORT_ASCENDING, 0, 20
+                ).map { t -> TravelDto(t) }
+            TravelListDto(travelRepository.count(), travels)
+        }
+    }
+}
\ No newline at end of file