diff --git a/admin/docker/requirements.pip3 b/admin/docker/requirements.pip3
index ffaf19a..5d387f6 100644
--- a/admin/docker/requirements.pip3
+++ b/admin/docker/requirements.pip3
@@ -12,5 +12,6 @@ minio==7.0.3
 urllib3==1.26.6
 schema==0.7.5
 Werkzeug~=2.0.0
+python-jose==3.3.0
 # Unused yet
 #flask-oidc==1.4.0
diff --git a/admin/src/admin/lib/load_config.py b/admin/src/admin/lib/load_config.py
index 58b8d9a..cb66a37 100644
--- a/admin/src/admin/lib/load_config.py
+++ b/admin/src/admin/lib/load_config.py
@@ -34,6 +34,9 @@ class loadConfig:
             app.config.setdefault(
                 "VERIFY", True if os.environ["VERIFY"] == "true" else False
             )
+            app.config.setdefault(
+                "API_SECRET", os.environ.get("API_SECRET")
+            )
         except Exception as e:
             log.error(traceback.format_exc())
             raise
diff --git a/admin/src/admin/views/InternalViews.py b/admin/src/admin/views/InternalViews.py
index ee4c4c5..b99e00e 100644
--- a/admin/src/admin/views/InternalViews.py
+++ b/admin/src/admin/views/InternalViews.py
@@ -11,12 +11,14 @@ from flask import request
 
 from admin import app
 
-from .decorators import is_internal
+from .decorators import is_internal, is_internal_or_has_token
 
+import socket
 
 @app.route("/api/internal/users", methods=["GET"])
-@is_internal
+@is_internal_or_has_token
 def internal_users():
+    log.error(socket.gethostbyname("isard-apps-wordpress"))
     if request.method == "GET":
         sorted_users = sorted(app.admin.get_mix_users(), key=lambda k: k["username"])
         # group_users = [user for user in sorted_users if data['path'] in user['keycloak_groups']]
@@ -29,7 +31,7 @@ def internal_users():
 
 
 @app.route("/api/internal/users/filter", methods=["POST"])
-@is_internal
+@is_internal_or_has_token
 def internal_users_search():
     if request.method == "POST":
         data = request.get_json(force=True)
@@ -40,7 +42,7 @@ def internal_users_search():
 
 
 @app.route("/api/internal/groups", methods=["GET"])
-@is_internal
+@is_internal_or_has_token
 def internal_groups():
     if request.method == "GET":
         sorted_groups = sorted(app.admin.get_mix_groups(), key=lambda k: k["name"])
@@ -59,7 +61,7 @@ def internal_groups():
 
 
 @app.route("/api/internal/group/users", methods=["POST"])
-@is_internal
+@is_internal_or_has_token
 def internal_group_users():
     if request.method == "POST":
         data = request.get_json(force=True)
@@ -78,7 +80,7 @@ def internal_group_users():
 
 
 @app.route("/api/internal/roles", methods=["GET"])
-@is_internal
+@is_internal_or_has_token
 def internal_roles():
     if request.method == "GET":
         roles = []
@@ -96,7 +98,7 @@ def internal_roles():
 
 
 @app.route("/api/internal/role/users", methods=["POST"])
-@is_internal
+@is_internal_or_has_token
 def internal_role_users():
     if request.method == "POST":
         data = request.get_json(force=True)
diff --git a/admin/src/admin/views/decorators.py b/admin/src/admin/views/decorators.py
index 55ef0fe..441fde8 100644
--- a/admin/src/admin/views/decorators.py
+++ b/admin/src/admin/views/decorators.py
@@ -3,6 +3,10 @@
 
 import socket
 from functools import wraps
+import json
+import os
+from jose import jwt
+from ..auth.tokens import get_header_jwt_payload
 
 from flask import redirect, request, url_for
 from flask_login import current_user, logout_user
@@ -34,3 +38,52 @@ def is_internal(fn):
         return redirect(url_for("login"))
 
     return decorated_view
+
+def has_token(fn):
+    @wraps(fn)
+    def decorated(*args, **kwargs):
+        payload = get_header_jwt_payload()
+        # if payload.get("role_id") != "admin":
+        #     maintenance()
+        kwargs["payload"] = payload
+        return fn(*args, **kwargs)
+
+    return decorated
+
+def is_internal_or_has_token(fn):
+    @wraps(fn)
+    def decorated_view(*args, **kwargs):
+        remote_addr = (
+            request.headers["X-Forwarded-For"].split(",")[0]
+            if "X-Forwarded-For" in request.headers
+            else request.remote_addr.split(",")[0]
+        )
+        ## Now only checks if it is wordpress container,
+        ## but we should check if it is internal net and not haproxy
+        valid_jwt = False
+        try:
+            payload = get_header_jwt_payload()
+            valid_jwt = True
+        except:
+            valid_jwt = False
+        if valid_jwt:
+            return fn(*args, **kwargs)
+        else:
+            return (
+                json.dumps(
+                    {
+                        "error": "unauthorized",
+                        "msg": "Unauthorized access",
+                    }
+                ),
+                401,
+                {"Content-Type": "application/json"},
+            )
+
+        if socket.gethostbyname("isard-apps-wordpress") == remote_addr:
+            return fn(*args, **kwargs)
+        else:
+            logout_user()
+            return redirect(url_for("login"))
+
+    return decorated_view
\ No newline at end of file