i've managed it with custom

RouteSelector

. Just have rewritten

HttpHeaderRouteSelector

so it checks

Authentication

header availability. then i validate the token in child

authentication

section. now there are 3 states: valid token -> 200 invalid token -> 401 no token header -> 404 🙂 (perhaps need to handle this case separately)