diff --git a/backend/internal/api/routes/router.go b/backend/internal/api/routes/router.go
index 006b3bd..d8f771b 100644
--- a/backend/internal/api/routes/router.go
+++ b/backend/internal/api/routes/router.go
@@ -16,85 +16,92 @@ func SetupRouter(r *gin.Engine) {
 	projectHandler := handlers.NewProjectHandler()
 	timeEntryHandler := handlers.NewTimeEntryHandler()
 
-	// Public routes
-	r.POST("/auth/login", userHandler.Login)
-	r.POST("/auth/register", userHandler.Register)
-
-	// API routes (protected)
+	// API routes
 	api := r.Group("/api")
-	api.Use(middleware.AuthMiddleware())
 	{
-		// Auth routes
+		// Auth routes (public)
 		auth := api.Group("/auth")
 		{
-			auth.GET("/me", userHandler.GetCurrentUser)
+			auth.POST("/login", userHandler.Login)
+			auth.POST("/register", userHandler.Register)
 		}
 
-		// User routes
-		users := api.Group("/users")
+		// Protected routes
+		protected := api.Group("")
+		protected.Use(middleware.AuthMiddleware())
 		{
-			users.GET("", userHandler.GetUsers)
-			users.GET("/:id", userHandler.GetUserByID)
-			users.POST("", middleware.RoleMiddleware("admin"), userHandler.CreateUser)
-			users.PUT("/:id", middleware.RoleMiddleware("admin"), userHandler.UpdateUser)
-			users.DELETE("/:id", middleware.RoleMiddleware("admin"), userHandler.DeleteUser)
-		}
+			// Auth routes (protected)
+			protectedAuth := protected.Group("/auth")
+			{
+				protectedAuth.GET("/me", userHandler.GetCurrentUser)
+			}
 
-		// Activity routes
-		activities := api.Group("/activities")
-		{
-			activities.GET("", activityHandler.GetActivities)
-			activities.GET("/:id", activityHandler.GetActivityByID)
-			activities.POST("", middleware.RoleMiddleware("admin"), activityHandler.CreateActivity)
-			activities.PUT("/:id", middleware.RoleMiddleware("admin"), activityHandler.UpdateActivity)
-			activities.DELETE("/:id", middleware.RoleMiddleware("admin"), activityHandler.DeleteActivity)
-		}
+			// User routes
+			users := protected.Group("/users")
+			{
+				users.GET("", userHandler.GetUsers)
+				users.GET("/:id", userHandler.GetUserByID)
+				users.POST("", middleware.RoleMiddleware("admin"), userHandler.CreateUser)
+				users.PUT("/:id", middleware.RoleMiddleware("admin"), userHandler.UpdateUser)
+				users.DELETE("/:id", middleware.RoleMiddleware("admin"), userHandler.DeleteUser)
+			}
 
-		// Company routes
-		companies := api.Group("/companies")
-		{
-			companies.GET("", companyHandler.GetCompanies)
-			companies.GET("/:id", companyHandler.GetCompanyByID)
-			companies.POST("", middleware.RoleMiddleware("admin"), companyHandler.CreateCompany)
-			companies.PUT("/:id", middleware.RoleMiddleware("admin"), companyHandler.UpdateCompany)
-			companies.DELETE("/:id", middleware.RoleMiddleware("admin"), companyHandler.DeleteCompany)
-		}
+			// Activity routes
+			activities := protected.Group("/activities")
+			{
+				activities.GET("", activityHandler.GetActivities)
+				activities.GET("/:id", activityHandler.GetActivityByID)
+				activities.POST("", middleware.RoleMiddleware("admin"), activityHandler.CreateActivity)
+				activities.PUT("/:id", middleware.RoleMiddleware("admin"), activityHandler.UpdateActivity)
+				activities.DELETE("/:id", middleware.RoleMiddleware("admin"), activityHandler.DeleteActivity)
+			}
 
-		// Customer routes
-		customers := api.Group("/customers")
-		{
-			customers.GET("", customerHandler.GetCustomers)
-			customers.GET("/:id", customerHandler.GetCustomerByID)
-			customers.GET("/company/:companyId", customerHandler.GetCustomersByCompanyID)
-			customers.POST("", middleware.RoleMiddleware("admin"), customerHandler.CreateCustomer)
-			customers.PUT("/:id", middleware.RoleMiddleware("admin"), customerHandler.UpdateCustomer)
-			customers.DELETE("/:id", middleware.RoleMiddleware("admin"), customerHandler.DeleteCustomer)
-		}
+			// Company routes
+			companies := protected.Group("/companies")
+			{
+				companies.GET("", companyHandler.GetCompanies)
+				companies.GET("/:id", companyHandler.GetCompanyByID)
+				companies.POST("", middleware.RoleMiddleware("admin"), companyHandler.CreateCompany)
+				companies.PUT("/:id", middleware.RoleMiddleware("admin"), companyHandler.UpdateCompany)
+				companies.DELETE("/:id", middleware.RoleMiddleware("admin"), companyHandler.DeleteCompany)
+			}
 
-		// Project routes
-		projects := api.Group("/projects")
-		{
-			projects.GET("", projectHandler.GetProjects)
-			projects.GET("/with-customers", projectHandler.GetProjectsWithCustomers)
-			projects.GET("/:id", projectHandler.GetProjectByID)
-			projects.GET("/customer/:customerId", projectHandler.GetProjectsByCustomerID)
-			projects.POST("", middleware.RoleMiddleware("admin"), projectHandler.CreateProject)
-			projects.PUT("/:id", middleware.RoleMiddleware("admin"), projectHandler.UpdateProject)
-			projects.DELETE("/:id", middleware.RoleMiddleware("admin"), projectHandler.DeleteProject)
-		}
+			// Customer routes
+			customers := protected.Group("/customers")
+			{
+				customers.GET("", customerHandler.GetCustomers)
+				customers.GET("/:id", customerHandler.GetCustomerByID)
+				customers.GET("/company/:companyId", customerHandler.GetCustomersByCompanyID)
+				customers.POST("", middleware.RoleMiddleware("admin"), customerHandler.CreateCustomer)
+				customers.PUT("/:id", middleware.RoleMiddleware("admin"), customerHandler.UpdateCustomer)
+				customers.DELETE("/:id", middleware.RoleMiddleware("admin"), customerHandler.DeleteCustomer)
+			}
 
-		// Time Entry routes
-		timeEntries := api.Group("/time-entries")
-		{
-			timeEntries.GET("", timeEntryHandler.GetTimeEntries)
-			timeEntries.GET("/me", timeEntryHandler.GetMyTimeEntries)
-			timeEntries.GET("/range", timeEntryHandler.GetTimeEntriesByDateRange)
-			timeEntries.GET("/:id", timeEntryHandler.GetTimeEntryByID)
-			timeEntries.GET("/user/:userId", timeEntryHandler.GetTimeEntriesByUserID)
-			timeEntries.GET("/project/:projectId", timeEntryHandler.GetTimeEntriesByProjectID)
-			timeEntries.POST("", timeEntryHandler.CreateTimeEntry)
-			timeEntries.PUT("/:id", timeEntryHandler.UpdateTimeEntry)
-			timeEntries.DELETE("/:id", timeEntryHandler.DeleteTimeEntry)
+			// Project routes
+			projects := protected.Group("/projects")
+			{
+				projects.GET("", projectHandler.GetProjects)
+				projects.GET("/with-customers", projectHandler.GetProjectsWithCustomers)
+				projects.GET("/:id", projectHandler.GetProjectByID)
+				projects.GET("/customer/:customerId", projectHandler.GetProjectsByCustomerID)
+				projects.POST("", middleware.RoleMiddleware("admin"), projectHandler.CreateProject)
+				projects.PUT("/:id", middleware.RoleMiddleware("admin"), projectHandler.UpdateProject)
+				projects.DELETE("/:id", middleware.RoleMiddleware("admin"), projectHandler.DeleteProject)
+			}
+
+			// Time Entry routes
+			timeEntries := protected.Group("/time-entries")
+			{
+				timeEntries.GET("", timeEntryHandler.GetTimeEntries)
+				timeEntries.GET("/me", timeEntryHandler.GetMyTimeEntries)
+				timeEntries.GET("/range", timeEntryHandler.GetTimeEntriesByDateRange)
+				timeEntries.GET("/:id", timeEntryHandler.GetTimeEntryByID)
+				timeEntries.GET("/user/:userId", timeEntryHandler.GetTimeEntriesByUserID)
+				timeEntries.GET("/project/:projectId", timeEntryHandler.GetTimeEntriesByProjectID)
+				timeEntries.POST("", timeEntryHandler.CreateTimeEntry)
+				timeEntries.PUT("/:id", timeEntryHandler.UpdateTimeEntry)
+				timeEntries.DELETE("/:id", timeEntryHandler.DeleteTimeEntry)
+			}
 		}
 	}
 }