All endpoints need to protected. The UI specific endpoints will get the OAuth token sent in the request header. The OAuth proxy needs to be setup to specifically protect these. This should work automatically since the Go server is serving the UI /apps /apps/ {id} The /apps/{id} /init endpoint needs to to authenticate the keycloak token sent in the request. |