Oh, just the same as you would without providing JWT middleware. Keep in mind you aren’t limited to .all(*) router handler, you can also use .post(*), .get(*) as well as you can define the exact path to which the middleware you wish to apply, and simply don’t put it to paths you wouldn’t want to be validated. For instance .get('/secret’, verifyJWT_MW) will keep route GET /secret protected, while POST /secret or GET /public won’t be. Making it public. Hope that answers your question.