How do you think it should work? I never used several authentication layers, so I really don’t know

I'm not ignoring you, I think the solution would require a a rework of the authentication pipeline. Not something I'm a fan of proposing. I can sort of work around it in other ways. I was hoping for an easy win. As a side note I've used Dropwizard and SparkJava quite a bit, we stumbled across this project (ktor) a while back. We are putting together a public facing facade for some internal routes and thought we would give ktor a try. Due to the lack of docs me and a colleague have had to learn by dissection, but from what we've seen it's a nice little system you have here, thanks for it 🙂

I don’t know if there is an easy win or not before I see requirements 🙂 Just “second layer of security” is not enough, I’ve lost my telepathic skills in early childhood 😄

A very brief thought process put me here... Something like this is what I was attempting to get working.

route("/thing") {
        authentication { someBasicAuth() }
        post {}
        route("/{thingId}") {
                authentication { idBasedAuth() }
                post {}
        }
}

I think for that to work we need to have a stack of authenticators and walk through each one based on the route /thing would trigger someBasicAuth whereas /thing/1 would trigger both someBasicAuth and idBasedAuth. 2 options for that I think could be - Authenticator would set a principal, but only the last authenticators prinical would be set at the end of authentication pipeline - A principal is associated to each Authenticator meaning you would have multple principals

on related note, I wanted to suggest that under one route, there could be mix/match of secured/public routes. eg, get (public) vs put/post/delete (secured). There isnt a way to achieve that currently, IMO.