diff --git a/Dockerfile b/Dockerfile
index ff34993..45eb9ba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,7 +8,7 @@ COPY . /git/
 RUN find . -type d -name .git -exec git describe --always --dirty > /git-version.txt \;
 
 
-FROM python:3.13
+FROM python:3.12
 
 EXPOSE 8080
 
diff --git a/app.py b/app.py
index cd31e35..691e2d4 100644
--- a/app.py
+++ b/app.py
@@ -18,6 +18,26 @@ from gitmgr import GitManagerConfiguration, GitManager
 startup_timestamp = datetime.now()
 
 
+class AuthenticatedHandler(tornado.web.RequestHandler, metaclass=ABCMeta):
+    # noinspection PyAttributeOutsideInit
+    def initialize(self, auth_provider=None):
+        self.auth_provider = auth_provider
+
+    def prepare(self):
+        if self.auth_provider is None:
+            return
+
+        # check authentication
+        auth_hdr = "Authentication"
+        if auth_hdr not in self.request.headers:
+            raise tornado.web.HTTPError(401, reason="authentication not provided")
+
+        tk = self.request.headers[auth_hdr]
+
+        if not self.auth_provider.validate_token(tk):
+            raise tornado.web.HTTPError(403, reason="invalid authentication token provided")
+
+
 class HealthHandler(tornado.web.RequestHandler, metaclass=ABCMeta):
     # noinspection PyAttributeOutsideInit
     def initialize(self, sources=None):
@@ -77,12 +97,38 @@ class Oas3Handler(tornado.web.RequestHandler, metaclass=ABCMeta):
         self.finish()
 
 
+class AllEntitiesHandler(AuthenticatedHandler, metaclass=ABCMeta):
+    # noinspection PyAttributeOutsideInit
+    def initialize(self, auth_provider=None):
+        super().initialize(auth_provider)
+
+    def post(self):
+        pass
+
+    def get(self):
+        pass
+
+
+class SingleEntityHandler(AuthenticatedHandler, metaclass=ABCMeta):
+    # noinspection PyAttributeOutsideInit
+    def initialize(self, auth_provider=None):
+        super().initialize(auth_provider)
+
+    def post(self, identifier):
+        pass
+
+    def get(self, identifier):
+        pass
+
+
 def make_app(_auth_provider=None, gitmgr=None):
     version_path = r"/v[0-9]"
     return tornado.web.Application([
         (version_path + r"/health", HealthHandler,
          {"sources": [lambda: {"git-head":  gitmgr.head_sha}] if gitmgr else None}),
         (version_path + r"/oas3", Oas3Handler),
+        (version_path + r"/entities", AllEntitiesHandler, {"auth_provider": _auth_provider}),
+        (version_path + r"/entity/{.*}", SingleEntityHandler, {"auth_provider": _auth_provider}),
     ])
 
 
diff --git a/requirements.txt b/requirements.txt
index 2d455a1..87c39f9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-tornado==6.5.1
-isodate==0.7.2
-pytest==8.4.0
-GitPython==3.1.44
\ No newline at end of file
+tornado==6.3.3
+isodate==0.6.1
+pytest==7.4.3
+GitPython==3.1.40
\ No newline at end of file