diff --git a/kamailio/auth.cfg b/kamailio/auth.cfg
index e85e657..dbe1440 100644
--- a/kamailio/auth.cfg
+++ b/kamailio/auth.cfg
@@ -1,4 +1,5 @@
-
+#!trydef KZ_STRICT_AUTH 1
+kazoo.strict_auth = KZ_STRICT_AUTH descr "only allow requests from registered or trusted sources"
 
 route[AUTH]
 {
@@ -52,23 +53,31 @@ route[AUTH_HEADERS_JSON]
 route[SETUP_AUTH_HEADERS]
 {
 
+   $avp(auth_allowed) = "false";
    $xavp(hf=>X-AUTH-IP) = $si;
    $xavp(hf[0]=>X-AUTH-PORT) = $sp;
 
    #!ifdef REGISTRAR_ROLE
-
    $avp(is_registered) = "false";
    $xavp(regcfg=>match_received) = $su;
-   if (registered("location","$fu", 2, 1) != 1) return;
-   
-   $avp(is_registered) = "true";
-   #!ifdef WITH_AUTH_TOKEN
-   route(AUTH_TOKEN);
-   #!else
-   route(AUTH_CCVS);
+   if (registered("location","$fu", 2, 1) == 1) {
+        $avp(is_registered) = "true";
+        $avp(auth_allowed) = "true";
+        route(AUTH_TOKEN);
+        return;
+   }
    #!endif
 
-   #!endif
+   if (allow_trusted()) {
+       $avp(auth_allowed) = "true";
+       $xavp(hf[0]=>X-AUTH-Token) = $avp(trusted_x_header);
+       $xavp(hf[0]=>X-AUTH-URI-User) = $rU;
+       $xavp(hf[0]=>X-AUTH-URI-Realm) = $rd;
+       $xavp(hf[0]=>X-AUTH-To-IP) = $RAi;
+       $xavp(hf[0]=>X-AUTH-To-Port) = $RAp;
+       $xavp(hf[0]=>X-AUTH-Source) = "trusted";
+       return;
+   }
 
 }
 
@@ -85,41 +94,4 @@ route[AUTH_TOKEN]
    }
 }
 
-route[AUTH_CCVS]
-{
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Account-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Authorizing-Type) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}{s.len}) > 0 && $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-Type}{s.len}) > 0)
-        $xavp(hf[0]=>X-AUTH-Token) = $_s($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID})@$(xavp(ulattrs=>custom_channel_vars){kz.json,Account-ID}));
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Authorizing-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Authorizing-ID});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Username}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Username) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Username});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Realm}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Realm});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Account-Realm) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Realm});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Account-Name) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Account-Name}{s.escape.param});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Presence-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Presence-ID});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Owner-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Owner-ID});
-
-    if($(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID}{s.len}) > 0)
-        $xavp(hf[0]=>X-ecallmgr_Hotdesk-Current-ID) = $(xavp(ulattrs=>custom_channel_vars){kz.json,Hotdesk-Current-ID});
-
-}
-
 #!endif
diff --git a/kamailio/default.cfg b/kamailio/default.cfg
index 20d44d2..e870940 100644
--- a/kamailio/default.cfg
+++ b/kamailio/default.cfg
@@ -210,6 +210,12 @@ modparam("debugger", "mod_level", "core=1")
 ####### STATISTICS ######
 loadmodule "statistics.so"
 
+####### Permissions module ##########
+loadmodule "permissions.so"
+modparam("permissions", "db_url", "KAZOO_DB_URL")
+modparam("permissions", "db_mode", KZ_PERMISSIONS_CACHE)
+modparam("permissions", "peer_tag_avp", "$avp(trusted_x_header)")
+
 ####### DATABASE module ##########
 include_file "db_KAMAILIO_DBMS.cfg"
 
@@ -281,11 +287,6 @@ include_file "sanity.cfg"
 ## auth ##
 include_file "auth.cfg"
 
-####### Permissions module ##########
-loadmodule "permissions.so"
-modparam("permissions", "db_url", "KAZOO_DB_URL")
-modparam("permissions", "db_mode", 1)
-
 ###### local route ######
 tcp_children = 5
 listen=tcp:127.0.0.1:5090
@@ -633,6 +634,13 @@ route[PREPARE_INITIAL_REQUESTS]
 
 route[SETUP]
 {
+
+    if($sel(cfg_get.kazoo.strict_auth) == 1 && $avp(auth_allowed) != "true") {
+        xlog("L_WARN", "$ci|auth|request denied\n");
+        sl_reply("403", "Please Register");
+        exit;
+    }
+
     #!ifdef DISPATCHER_ROLE
     if (!isflagset(FLAG_INTERNALLY_SOURCED)) {
         route(DISPATCHER_FIND_ROUTES);