diff --git a/backend/src/main.rs b/backend/src/main.rs
index 534bd49..fc92327 100644
--- a/backend/src/main.rs
+++ b/backend/src/main.rs
@@ -77,8 +77,6 @@ async fn main() -> anyhow::Result<()> {
     let jwt_service = auth::JwtService::new(config.jwt.clone());
 
     // Get the underlying MongoDB database for security services
-    // We need to create a database instance for the security services
-    // Get it from the MongoDb struct by accessing its internal database
     let database = db.get_database();
 
     // Initialize security services (Phase 2.6)
@@ -105,16 +103,17 @@ async fn main() -> anyhow::Result<()> {
     };
 
     eprintln!("Building router with security middleware...");
-    let app = Router::new()
-        // Health and status endpoints (no auth required)
+    
+    // Build public routes (no auth required)
+    let public_routes = Router::new()
         .route("/health", get(handlers::health_check).head(handlers::health_check))
         .route("/ready", get(handlers::ready_check))
-        
-        // Authentication endpoints
         .route("/api/auth/register", post(handlers::register))
         .route("/api/auth/login", post(handlers::login))
-        .route("/api/auth/recover-password", post(handlers::recover_password))
-        
+        .route("/api/auth/recover-password", post(handlers::recover_password));
+    
+    // Build protected routes (auth required)
+    let protected_routes = Router::new()
         // User profile management
         .route("/api/users/me", get(handlers::get_profile))
         .route("/api/users/me", put(handlers::update_profile))
@@ -139,7 +138,7 @@ async fn main() -> anyhow::Result<()> {
         .route("/api/sessions/:id", delete(handlers::revoke_session))
         .route("/api/sessions/all", delete(handlers::revoke_all_sessions))
         
-        // Medication management
+        // Medication management (Phase 2.7)
         .route("/api/medications", post(handlers::create_medication))
         .route("/api/medications", get(handlers::list_medications))
         .route("/api/medications/:id", get(handlers::get_medication))
@@ -147,7 +146,13 @@ async fn main() -> anyhow::Result<()> {
         .route("/api/medications/:id/delete", post(handlers::delete_medication))
         .route("/api/medications/:id/log", post(handlers::log_dose))
         .route("/api/medications/:id/adherence", get(handlers::get_adherence))
-        
+        .layer(axum::middleware::from_fn_with_state(
+            state.clone(),
+            middleware::jwt_auth_middleware
+        ));
+    
+    let app = public_routes
+        .merge(protected_routes)
         .with_state(state)
         .layer(
             ServiceBuilder::new()