The structure of MERNKIT dictates that all routing is done by Routers in the routes folder. All the authentication methods issue a JSON Web Token for continual API authentication. Therefore, Keep a close eye out for the following line:

router.use(passport.authenticate("jwt", { session: false }));

Anything above that line in a routes file is accessible without authentication.

Anything below is protected.

When you create your own routes you can use this same line of code to protect your routes.