diff --git a/backend/LexBoxApi/Program.cs b/backend/LexBoxApi/Program.cs
index 598dcd25e..31a98c0df 100644
--- a/backend/LexBoxApi/Program.cs
+++ b/backend/LexBoxApi/Program.cs
@@ -162,7 +162,7 @@
 app.MapQuartzUI("/api/quartz").RequireAuthorization(new AdminRequiredAttribute());
 app.MapControllers();
 app.MapLfClassicApi().RequireAuthorization(new AdminRequiredAttribute()).WithOpenApi();
-app.MapSyncApi().AllowAnonymous().WithOpenApi();
+app.MapSyncApi().WithOpenApi();
 app.MapTus("/api/tus-test",
         async context => await context.RequestServices.GetRequiredService<TusService>().GetTestConfig(context))
     .RequireAuthorization(new AdminRequiredAttribute());
diff --git a/backend/LexBoxApi/Services/CrdtSyncRoutes.cs b/backend/LexBoxApi/Services/CrdtSyncRoutes.cs
index 8604aba10..57f51859d 100644
--- a/backend/LexBoxApi/Services/CrdtSyncRoutes.cs
+++ b/backend/LexBoxApi/Services/CrdtSyncRoutes.cs
@@ -1,4 +1,5 @@
 using Crdt.Core;
+using LexBoxApi.Auth.Attributes;
 using LexData;
 using LexData.Entities;
 
@@ -9,7 +10,8 @@ public static class CrdtSyncRoutes
     public static IEndpointConventionBuilder MapSyncApi(this IEndpointRouteBuilder endpoints,
         string path = "/api/sync/{id}")
     {
-        var group = endpoints.MapGroup(path);
+        //todo determine if the user has permission to access the project, for now lock down to admin only
+        var group = endpoints.MapGroup(path).RequireAuthorization(new AdminRequiredAttribute());
         group.MapGet("/get",
             async (Guid id, LexBoxDbContext dbContext) =>
             {