# API

The structure of MERNKIT dictates that all routing is done by Routers in the routes folder.  All the authentication methods issue a JSON Web Token for continual API authentication. Therefore, Keep a close eye out for the following line: 

```
router.use(passport.authenticate("jwt", { session: false }));
```

**Anything above that line in a routes file is accessible without authentication.** 

**Anything below is protected.** 

When you create your own routes you can use this same line of code to protect your routes.