diff --git a/Cargo.lock b/Cargo.lock
index 570d0e7..a7ac732 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -158,7 +158,7 @@ checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
 [[package]]
 name = "based"
 version = "0.1.0"
-source = "git+https://git.hydrar.de/jmarya/based#4e3107ce08aaf6f149880a00707f86f1e94683eb"
+source = "git+https://git.hydrar.de/jmarya/based#04852f2fbcc301d0c2b4098f613b9450b4474363"
 dependencies = [
  "bcrypt 0.16.0",
  "chrono",
diff --git a/src/route/admin.rs b/src/route/admin.rs
index 5413b66..e9352a2 100644
--- a/src/route/admin.rs
+++ b/src/route/admin.rs
@@ -1,20 +1,22 @@
 use crate::library::track::Track;
 use crate::library::Libary;
-use based::auth::User;
+use based::auth::APIUser;
 use based::request::api::{vec_to_api, FallibleApiResponse};
 use based::{check_admin, get_pg};
 use rocket::{get, State};
 use serde_json::json;
 
 #[get("/library/clean")]
-pub async fn clean_library(lib: &State<Libary>, u: User) -> FallibleApiResponse {
+pub async fn clean_library(lib: &State<Libary>, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
     lib.clean_lost_files().await;
     Ok(json!({"ok": 1}))
 }
 
 #[get("/library/singles")]
-pub async fn get_singles_route(u: User) -> FallibleApiResponse {
+pub async fn get_singles_route(u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
     let singles: Vec<Track> =
         sqlx::query_as("SELECT * FROM track WHERE album IS NULL AND artist IS NOT NULL")
@@ -26,7 +28,8 @@ pub async fn get_singles_route(u: User) -> FallibleApiResponse {
 }
 
 #[get("/library/orphans")]
-pub async fn get_orphans_route(u: User) -> FallibleApiResponse {
+pub async fn get_orphans_route(u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
     let orphans = Track::get_orphans().await;
     Ok(json!(vec_to_api(&orphans).await))
diff --git a/src/route/event.rs b/src/route/event.rs
index 5be9690..eb87fa4 100644
--- a/src/route/event.rs
+++ b/src/route/event.rs
@@ -1,7 +1,7 @@
 use crate::library::event::Event;
 use crate::library::event::EventKind;
 use crate::library::track::Track;
-use based::auth::User;
+use based::auth::APIUser;
 use based::request::api::api_error;
 use based::request::api::to_uuid;
 use based::request::api::FallibleApiResponse;
@@ -17,7 +17,8 @@ pub struct EventJson {
 }
 
 #[post("/report", data = "<report>")]
-pub async fn event_report_route(report: Json<EventJson>, u: User) -> FallibleApiResponse {
+pub async fn event_report_route(report: Json<EventJson>, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     let track = &report.track;
     Event::create(
         report.kind.clone(),
diff --git a/src/route/playlist.rs b/src/route/playlist.rs
index a1c8e26..b565840 100644
--- a/src/route/playlist.rs
+++ b/src/route/playlist.rs
@@ -2,7 +2,7 @@ use crate::get_pg;
 use crate::library::playlist::Playlist;
 use crate::library::playlist::Visibility;
 use crate::library::track::Track;
-use based::auth::User;
+use based::auth::APIUser;
 use based::request::api::api_error;
 use based::request::api::to_uuid;
 use based::request::api::vec_to_api;
@@ -13,7 +13,8 @@ use rocket::serde::json::Json;
 use serde_json::json;
 
 #[get("/playlists")]
-pub async fn playlists_route(u: User) -> FallibleApiResponse {
+pub async fn playlists_route(u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     let mut playlists = vec![
         json!({"id": "recents", "name": "Recently Played"}),
         json!({"id": "recentlyAdded", "name": "Recently Added"}),
@@ -37,7 +38,8 @@ pub async fn recently_added_playlist() -> FallibleApiResponse {
 }
 
 #[get("/playlist/<id>")]
-pub async fn playlist_route(id: &str, u: User) -> FallibleApiResponse {
+pub async fn playlist_route(id: &str, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     if id == "recents" {
         return Ok(Playlist {
             id: uuid::Uuid::nil(),
@@ -76,7 +78,8 @@ pub async fn playlist_route(id: &str, u: User) -> FallibleApiResponse {
 }
 
 #[get("/playlist/<id>/tracks")]
-pub async fn playlist_tracks_route(id: &str, u: User) -> FallibleApiResponse {
+pub async fn playlist_tracks_route(id: &str, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     if id == "recents" {
         let tracks = Track::get_latest_of_user(&u).await;
         return Ok(json!(vec_to_api(&tracks).await));
@@ -117,7 +120,8 @@ pub struct PlaylistData {
 }
 
 #[post("/playlist", data = "<playlist>")]
-pub async fn playlist_add_route(playlist: Json<PlaylistData>, u: User) -> FallibleApiResponse {
+pub async fn playlist_add_route(playlist: Json<PlaylistData>, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     let playlist = Playlist::create(
         u,
         &playlist
@@ -140,8 +144,9 @@ pub async fn playlist_add_route(playlist: Json<PlaylistData>, u: User) -> Fallib
 pub async fn playlist_edit_route(
     id: &str,
     edit: Json<PlaylistData>,
-    u: User,
+    u: APIUser,
 ) -> FallibleApiResponse {
+    let u = u.0;
     let playlist = Playlist::get(&to_uuid(id)?)
         .await
         .ok_or_else(|| api_error("No playlist with that ID found"))?;
diff --git a/src/route/track.rs b/src/route/track.rs
index fd9bfd2..097864f 100644
--- a/src/route/track.rs
+++ b/src/route/track.rs
@@ -1,6 +1,6 @@
 use crate::library::Libary;
 use based::{
-    auth::User,
+    auth::APIUser,
     check_admin,
     request::{
         api::{api_error, to_uuid, FallibleApiResponse, ToAPI},
@@ -29,8 +29,9 @@ pub async fn track_route(track_id: &str, lib: &State<Libary>) -> FallibleApiResp
 pub async fn track_reload_meta_route(
     track_id: &str,
     lib: &State<Libary>,
-    u: User,
+    u: APIUser,
 ) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
     lib.reload_metadata(&to_uuid(track_id)?)
         .await
diff --git a/src/route/user.rs b/src/route/user.rs
index de529ad..019b245 100644
--- a/src/route/user.rs
+++ b/src/route/user.rs
@@ -1,4 +1,4 @@
-use based::auth::{Sessions, User, UserRole};
+use based::auth::{APIUser, Sessions, User, UserRole};
 use based::check_admin;
 use based::request::api::{api_error, vec_to_api, FallibleApiResponse};
 use rocket::get;
@@ -32,7 +32,8 @@ pub struct PasswdData {
 }
 
 #[post("/passwd", data = "<passwd>")]
-pub async fn passwd_route(passwd: Json<PasswdData>, u: User) -> FallibleApiResponse {
+pub async fn passwd_route(passwd: Json<PasswdData>, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     u.passwd(&passwd.old, &passwd.new)
         .await
         .map_err(|()| api_error("Password change failed"))?;
@@ -43,7 +44,8 @@ pub async fn passwd_route(passwd: Json<PasswdData>, u: User) -> FallibleApiRespo
 }
 
 #[get("/users")]
-pub async fn users_route(u: User) -> FallibleApiResponse {
+pub async fn users_route(u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
 
     let users: Vec<_> = vec_to_api(&User::find_all().await).await;
@@ -52,7 +54,8 @@ pub async fn users_route(u: User) -> FallibleApiResponse {
 }
 
 #[post("/userCreate", data = "<user>")]
-pub async fn user_create_route(user: Json<LoginData>, u: User) -> FallibleApiResponse {
+pub async fn user_create_route(user: Json<LoginData>, u: APIUser) -> FallibleApiResponse {
+    let u = u.0;
     check_admin!(u);
 
     let new_user = User::create(&user.username, &user.password, UserRole::Regular)