The question here is not how to compose filters or interceptors. It’s all there in ktor and working good and async and modular, etc. The question is how to make authentication optional for some routes and not optional for other routes without writing too much boilerplate. Note, that authentication is not an easy task. If you are doing just Basic, then it’s ok to have a filter that either accepts or responds with 401, but if you’d code OAuth2 for example, it becomes much more complicated.