diff --git a/Taskfile.yml b/Taskfile.yml
index ff2a107..9ec0b17 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -99,4 +99,5 @@ tasks:
     desc: Remove all persistent data
     cmds:
       - podman image rm {{.DOCKER_ORG_JO_MICRO}}/router:latest || exit 0
+      - podman volume rm jo_micro-router_go || exit 0
       - rm -rf $PWD/.task
\ No newline at end of file
diff --git a/cmd/microrouterd/main.go b/cmd/microrouterd/main.go
index 2cf8c69..32efe56 100644
--- a/cmd/microrouterd/main.go
+++ b/cmd/microrouterd/main.go
@@ -11,6 +11,7 @@ import (
 	"github.com/gin-gonic/gin"
 	httpServer "github.com/go-micro/plugins/v4/server/http"
 	"jochum.dev/jo-micro/auth2"
+	"jochum.dev/jo-micro/auth2/plugins/verifier/endpointroles"
 	"jochum.dev/jo-micro/router"
 
 	"jochum.dev/jo-micro/router/cmd/microrouterd/config"
@@ -26,6 +27,7 @@ func internalService(routerHandler *handler.Handler) {
 	opts := []micro.Option{
 		micro.Name(config.Name + "-internal"),
 		micro.Version(config.Version),
+		micro.WrapHandler(auth2.ClientAuthRegistry().Plugin().Wrapper()),
 		micro.Action(func(c *cli.Context) error {
 			if err := auth2.ClientAuthRegistry().Init(c, srv); err != nil {
 				ilogger.Logrus().Fatal(err)
@@ -33,6 +35,18 @@ func internalService(routerHandler *handler.Handler) {
 
 			routerserverpb.RegisterRouterServerServiceHandler(srv.Server(), routerHandler)
 
+			authVerifier := endpointroles.NewVerifier(
+				endpointroles.WithLogrus(ilogger.Logrus()),
+			)
+			authVerifier.AddRules(
+				endpointroles.RouterRule,
+				endpointroles.NewRule(
+					endpointroles.Endpoint(routerserverpb.RouterServerService.Routes),
+					endpointroles.RolesAllow(auth2.RolesServiceAndAdmin),
+				),
+			)
+			auth2.ClientAuthRegistry().Plugin().SetVerifier(authVerifier)
+
 			r := router.NewHandler(
 				c.String("router_basepath"),
 				router.NewRoute(