hey im sorry to replay late i hope you have figured it out by now . the best way to lock the ROUTE would be in the settings/roles and that is something that is done by default . so that if a user sends a get request to /uploads it will return a response with a status of 403 . the get request to /uploads will return your whole media library . what you want is something you cant do. if i try to fetch /uploads/thespicificimage it will always return the image . but if you want to have some image private (for example you want to sell them) i suggest you create a content type that includes the image but the image is a private field that wont be returned in the api request . and then you can overwrite the find function for your content type so that if the user has payed for the image it should be returned in the api request . if you dont know how to do it i can explain how to do that as well