@ndchorley I did think about going down the security route previously, but I think could balloon into a large set of requirements if we wanted to do it comprehensively - so we've have stayed away thus far. during your travels with sessions, if you want to isolate auth/session lookup into Filters (as a separate concern), you can use the request-context facilities to "attach" objects to the request. See here for details - there are both typesafe Lens-based and non-lens-based examples: https://www.http4k.org/cookbook/request_context/