diff --git a/src/app.ts b/src/app.ts
index 488b549..53f7723 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -1,22 +1,66 @@
 import "reflect-metadata";
 import * as dotenvSafe from "dotenv-safe";
-import { createExpressServer } from "routing-controllers";
+import { Action, createExpressServer, HttpError } from "routing-controllers";
 import consola from "consola";
 import loaders from "./loaders/index";
-
+// 
+import * as jwt from "jsonwebtoken";
+// 
 dotenvSafe.config();
 const PORT = process.env.APP_PORT || 4010;
 
+const sampletoken = jwt.sign({
+    "permissions": {
+        "TRACKS": ["read", "update", "delete", "add"]
+    }
+}, process.env.JWT_SECRET || "secretjwtsecret")
+console.log(`sampletoken: ${sampletoken}`);
+
 const app = createExpressServer({
-    controllers: [__dirname + "/controllers/*.ts"],
+    authorizationChecker: async (action: Action, permissions: string | string[]) => {
+        let required_permissions = permissions
+        if (typeof permissions === "string") {
+            required_permissions = [permissions]
+        }
+        // const token = action.request.headers["authorization"];
+        const provided_token = action.request.query["auth"];
+        try {
+            const jwtPayload = <any>jwt.verify(provided_token, process.env.JWT_SECRET || "secretjwtsecret");
+            if (jwtPayload.permissions) {
+                action.response.local = {}
+                action.response.local.jwtPayload = jwtPayload.permissions
+                required_permissions.forEach(r => {
+                    const permission_key = r.split(":")[0]
+                    const permission_access_level = r.split(":")[1]
+                    // console.log(permission_key);
+                    // console.log(permission_access_level);
+                    if (jwtPayload.permissions[permission_key].indexOf(r) === 1) {
+                        return true;
+                    } else {
+                        // TODO: throw/return proper HttpError
+                        return false;
+                    }
+                });
+            } else {
+                // TODO: throw/return proper HttpError
+                return false;
+            }
+        } catch (error) {
+            console.log(error);
+            // throw new HttpError(401, "jwt_illegal")
+            return false
+        }
+        return true;
+    },
+    development: false,
+    controllers: [`${__dirname}/controllers/*.ts`],
 });
 
-async function main() {
+(async () => {
     await loaders(app);
     app.listen(PORT, () => {
         consola.success(
             `⚡️[server]: Server is running at http://localhost:${PORT}`
         );
     });
-}
-main();
+})();
\ No newline at end of file