diff --git a/auth-system/ingresses.yaml b/auth-system/ingresses.yaml
deleted file mode 100644
index 9ff9a08..0000000
--- a/auth-system/ingresses.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: pastefy-outpost
-  namespace: auth-system
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-spec:
-  ingressClassName: nginx-internal
-  rules:
-  - host: pastefy.dooplex.hu
-    http:
-      paths:
-      - path: /outpost.goauthentik.io
-        pathType: Prefix
-        backend:
-          service:
-            name: ak-outpost-pastefy-outpost
-            port:
-              number: 9000
-  tls:
-  - hosts:
-    - pastefy.dooplex.hu
-    secretName: pastefy-tls
\ No newline at end of file
diff --git a/pastefy-system/pastefy.yaml b/pastefy-system/pastefy.yaml
index 79162ca..69e6cc5 100644
--- a/pastefy-system/pastefy.yaml
+++ b/pastefy-system/pastefy.yaml
@@ -224,60 +224,17 @@ spec:
     app.kubernetes.io/instance: pastefy
     app.kubernetes.io/name: pastefy
 ---
-# Ingress 1: Public - for viewing pastes (no auth)
+# Public ingress: everything is readable (UI + assets + paste pages)
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: pastefy-public
   namespace: pastefy-system
-  annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
-spec:
-  ingressClassName: nginx-internal
-  rules:
-  - host: pastefy.dooplex.hu
-    http:
-      paths:
-      # Match paste IDs (typically 6-8 char alphanumeric)
-      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: pastefy
-            port:
-              number: 80
-  - host: pastefy.home
-    http:
-      paths:
-      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: pastefy
-            port:
-              number: 80
-  tls:
-  - hosts:
-    - pastefy.dooplex.hu
-    secretName: pastefy-tls
----
-# Ingress 2: Protected - main app (with Authentik auth)
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: pastefy
-  namespace: pastefy-system
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/proxy-body-size: "50m"
-    # Authentik forward auth
-    nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
-    nginx.ingress.kubernetes.io/auth-signin: "https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$escaped_request_uri"
-    nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Forwarded-Host $http_host;
 spec:
   ingressClassName: nginx-internal
   rules:
@@ -306,6 +263,66 @@ spec:
     - pastefy.dooplex.hu
     secretName: pastefy-tls
 ---
+# API ingress: require authentik ONLY for non-GET methods (POST/PUT/DELETE)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pastefy-api-auth
+  namespace: pastefy-system
+  annotations:
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # Internal endpoint NGINX will call for auth checks
+      location = /__ak_auth {
+        internal;
+        proxy_pass http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $remote_addr;
+      }
+
+      # Where to send users when auth is required
+      location @ak_login {
+        return 302 https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
+      }
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      # Allow reading without auth, but require auth for write methods
+      limit_except GET HEAD OPTIONS {
+        auth_request /__ak_auth;
+        error_page 401 = @ak_login;
+      }
+spec:
+  ingressClassName: nginx-internal
+  rules:
+  - host: pastefy.dooplex.hu
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  - host: pastefy.home
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - pastefy.dooplex.hu
+    secretName: pastefy-tls
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata: