@itsjoshbruce it's the request (route or route group middleware). Authenticated user is set early to the container and then various areas are protected based on the user's roles. Of course, there are more detailed checks later in the flow (e.g. parts of the interface are hidden or different depending on role/permissions). Middleware is stopping the unintended actions, like playing with URLs to access what's not supposed to be seen or actioned on.