I was actually thinking we should probably be using the access control pages plugin middleware to enforce the JWT authentication at an application level so it "defaults closed" instead of open. I think that's a more secure approach. Otherwise when you first deploy the project it is completely open to the world potentially exposing your database. With the middleware you would have to explicitly set the relevant environment variables from Zero Trust and only then will you be able to access it.

Originally posted by @johtso in #50 (comment)