diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs
index 1dce387f..1e532d3d 100644
--- a/server/AyaNova/Controllers/AuthController.cs
+++ b/server/AyaNova/Controllers/AuthController.cs
@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
 using AyaNova.Models;
@@ -22,6 +23,7 @@ namespace AyaNova.Api.Controllers
     [ApiVersion("8.0")]
     [Route("api/v{version:apiVersion}/auth")]
     [Produces("application/json")]
+    [Authorize]
     public class AuthController : ControllerBase
     {
         private readonly AyContext ct;
@@ -60,6 +62,7 @@ namespace AyaNova.Api.Controllers
         /// <param name="creds"></param>
         /// <returns></returns>       
         [HttpPost]
+        [AllowAnonymous]
         public async Task<IActionResult> PostCreds([FromBody] AuthController.CredentialsParam creds) //if was a json body then //public JsonResult PostCreds([FromBody] string login, [FromBody] string password)
         {
             //a bit different as ops users can still login if the state is opsonly 
@@ -258,9 +261,12 @@ namespace AyaNova.Api.Controllers
         /// </summary>    
         /// <param name="changecreds"></param>
         /// <returns></returns>       
-        [HttpPost("changepassword")]
+        [HttpPost("change-password")]
         public async Task<IActionResult> ChangePassword([FromBody] AuthController.ChangePasswordParam changecreds)
         {
+            //Note: need to be authenticated to use this, only called from own user's UI 
+            //it still asks for old creds in case someone attempts to do this on another user's logged in session
+
             if (!serverState.IsOpen)
                 return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
 
@@ -269,8 +275,6 @@ namespace AyaNova.Api.Controllers
                 return BadRequest(new ApiErrorResponse(ModelState));
             }
 
-
-
             int nFailedAuthDelay = 3000;//should be just long enough to make brute force a hassle but short enough to not annoy people who just mistyped their creds to login
 
 
@@ -336,7 +340,8 @@ namespace AyaNova.Api.Controllers
         /// </summary>    
         /// <param name="resetcreds"></param>
         /// <returns></returns>       
-        [HttpPost("resetpassword")]
+        [HttpPost("reset-password")]
+        [AllowAnonymous]
         public async Task<IActionResult> ResetPassword([FromBody] AuthController.ResetPasswordParam resetcreds)
         {
             if (!serverState.IsOpen)
@@ -377,6 +382,32 @@ namespace AyaNova.Api.Controllers
             return NoContent();
         }
 
+        /// <summary>
+        /// Generate time limited password reset code for User
+        /// and email to them
+        /// 
+        /// </summary>
+        /// <param name="id">User id</param>
+        /// <param name="apiVersion">From route path</param>
+        /// <returns>NoContent</returns>
+        [HttpPost("request-reset-password/{id}")]
+        public async Task<IActionResult> SendPasswordResetCode([FromRoute] long id, ApiVersion apiVersion)
+        {
+            //Note: this is not allowed for an anonymous users because it's only intended for now to work for staff user's who will send the request on behalf of the User
+            if (!serverState.IsOpen)
+                return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+            UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
+                return StatusCode(403, new ApiNotAuthorizedResponse());
+            if (!ModelState.IsValid)
+                return BadRequest(new ApiErrorResponse(ModelState));
+            bool successfulOperation = await biz.SendPasswordResetCode(id);
+            if (successfulOperation == false)
+                return BadRequest(new ApiErrorResponse(biz.Errors));
+            else
+                return NoContent();
+        }
+
         //------------------------------------------------------
 
         public class CredentialsParam
diff --git a/server/AyaNova/Controllers/UserController.cs b/server/AyaNova/Controllers/UserController.cs
index 3b3a7ab1..8e4dd4e7 100644
--- a/server/AyaNova/Controllers/UserController.cs
+++ b/server/AyaNova/Controllers/UserController.cs
@@ -317,30 +317,7 @@ namespace AyaNova.Api.Controllers
             return Ok(ApiOkResponse.Response(u.UserType != UserType.Customer && u.UserType != UserType.HeadOffice));
         }
 
-        /// <summary>
-        /// Generate time limited password reset code for User
-        /// and email to them
-        /// 
-        /// </summary>
-        /// <param name="id">User id</param>
-        /// <param name="apiVersion">From route path</param>
-        /// <returns>NoContent</returns>
-        [HttpPost("send-reset-code/{id}")]
-        public async Task<IActionResult> SendPasswordResetCode([FromRoute] long id, ApiVersion apiVersion)
-        {
-            if (!serverState.IsOpen)
-                return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
-            UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
-                return StatusCode(403, new ApiNotAuthorizedResponse());
-            if (!ModelState.IsValid)
-                return BadRequest(new ApiErrorResponse(ModelState));
-            bool successfulOperation = await biz.SendPasswordResetCode(id);
-            if (successfulOperation == false)
-                return BadRequest(new ApiErrorResponse(biz.Errors));
-            else
-                return NoContent();
-        }
+      
 
         //------------