diff --git a/backend/app/middlewares/middlewares.go b/backend/app/middlewares/middlewares.go
index c9836f0..5633c03 100644
--- a/backend/app/middlewares/middlewares.go
+++ b/backend/app/middlewares/middlewares.go
@@ -1,6 +1,8 @@
 package middlewares
 
 import (
+	"strings"
+
 	"quyun/v2/app/errorx"
 	"quyun/v2/app/services"
 	"quyun/v2/pkg/consts"
@@ -27,9 +29,12 @@ func (f *Middlewares) Prepare() error {
 }
 
 func (m *Middlewares) Auth(ctx fiber.Ctx) error {
+	if isPublicRoute(ctx) {
+		return ctx.Next()
+	}
 	authHeader := ctx.Get("Authorization")
 	if authHeader == "" {
-		return ctx.Next()
+		return errorx.ErrUnauthorized.WithMsg("Missing token")
 	}
 
 	claims, err := m.jwt.Parse(authHeader)
@@ -88,3 +93,40 @@ func hasRole(roles types.Array[consts.Role], role consts.Role) bool {
 	}
 	return false
 }
+
+func isPublicRoute(ctx fiber.Ctx) bool {
+	path := ctx.Path()
+	method := ctx.Method()
+
+	if method == fiber.MethodGet {
+		switch path {
+		case "/v1/common/options", "/v1/contents", "/v1/topics", "/v1/tenants":
+			return true
+		}
+		if strings.HasPrefix(path, "/v1/contents/") {
+			return true
+		}
+		if strings.HasPrefix(path, "/v1/creators/") && strings.HasSuffix(path, "/contents") {
+			return true
+		}
+		if strings.HasPrefix(path, "/v1/tenants/") {
+			return true
+		}
+		if strings.HasPrefix(path, "/v1/orders/") && strings.HasSuffix(path, "/status") {
+			return true
+		}
+		if strings.HasPrefix(path, "/v1/storage/") {
+			return true
+		}
+	}
+
+	if method == fiber.MethodPost && path == "/v1/webhook/payment/notify" {
+		return true
+	}
+
+	if method == fiber.MethodPut && strings.HasPrefix(path, "/v1/storage/") {
+		return true
+	}
+
+	return false
+}