1. definitely separate the auth into a filter - this is a separate concern (presumably for the entire server) so should not live with the route logic 2. you could potentially convert the invoke extension function to create a "caller" function, and save creating the lenses every time it's called. 3. Kotlin type inference FTW 🙂