diff --git a/server-api/src/auth.rs b/server-api/src/auth.rs
index 62ae751..e953a1f 100644
--- a/server-api/src/auth.rs
+++ b/server-api/src/auth.rs
@@ -1,5 +1,5 @@
 use bcrypt::{self, BcryptResult};
-use mysql_async::{Pool};
+use mysql_async::Pool;
 use mysql_async::error::Error as SqlError;
 
 
@@ -58,21 +58,44 @@ pub fn encrypt_secret(raw: &str) -> BcryptResult<String> {
     return bcrypt::hash(raw, BCRYPT_COST);
 }
 
+fn get_jwt(params: &serde_json::Value) -> Option<&str> {
+    // gets the `token` from the parameters
+    // option<value> -> some(value) -> string
+    return params.get("token")?.as_str();
+}
+
+fn valid_jwt(token: &str)  -> AuthReason {
+    // TODO
+    return AuthReason::Good;
+}
+
 pub async fn wall_entry(path: &str, pool: &Pool, params: &serde_json::Value) -> Result<AuthReason, SqlError> {
     use std::borrow::Cow;
 
     // Dont need to auth if it's not required
-    if routes::is_open(path) {
-        Ok(AuthReason::OpenAuth)
+    let open_path = routes::is_open(path);
+    let jwt = get_jwt(params);
+
+    if open_path { // ignore the parameters since they're irelevant
+        return Ok(AuthReason::OpenAuth);
+    }
+
+    else if let Some(jwt) = jwt {
+        // if we have a jwt then verify its validity
+        return Ok(valid_jwt(jwt)); // Good|BadKey
     }
     else {
-        // make sure we have some legit parameter to use
+
+        // Last chance we might be hitting the /login route so we have to do the  heavy auth flow
         match (params.get("id"), params.get("secret")) {
             /* 
              * If we apparantly have user data then check for validity in credentials
              */
             (Some(id_v), Some(secret_v)) => {
                 /* unwrapping because i couldn't care less about poorly formatted request data */
+                if path != "/login" {
+                    return Ok(AuthReason::BadKey);
+                }
                 let id = id_v.as_u64().unwrap_or(0); // basically nobody is allowed to have 0 as its supposed to be reserved
                 let secret = secret_v.as_str().unwrap_or("");
                 return match Member::get(pool, id).await {
@@ -96,7 +119,11 @@ pub async fn wall_entry(path: &str, pool: &Pool, params: &serde_json::Value) ->
     }
 }
 
+pub async fn login_get_jwt(pool: &Pool, params: &serde_json::Value) -> Result<AuthReason, SqlError> {
+    let (id_v, secret_v) = (params.get("id"), params.get("secret"));
 
+    return Ok(AuthReason::Good);
+}
 
 
 #[cfg(test)]