I'm wondering if there is a way to layer authentication functions? Basically I have routes like

/thing

with basic api-key auth. But I also have nested routes like

/thing/1

that has a second layer of security. Once a principle has been set there is no way to unset it, and no other challenges proceed.