The structure of MERNKIT dictates that all routing is done by Routers in the routes folder. All the authentication methods issue a JSON Web Token for continual API authentication. Therefore, Keep a close eye out for the following line:
router.use(passport.authenticate("jwt", { session: false }));
Anything above that line in a routes file is accessible without authentication.
Anything below is protected.
When you create your own routes you can use this same line of code to protect your routes.