diff --git a/inventory_provider/__init__.py b/inventory_provider/__init__.py
index 590610d4658972d3aa0ed6c4ccad4fb8c5571d01..41575bae2d9eca554e522347bd9f2d8c85db71a8 100644
--- a/inventory_provider/__init__.py
+++ b/inventory_provider/__init__.py
@@ -3,7 +3,7 @@ automatically invoked app factory
 """
 import logging
 import os
-from flask import Flask
+from flask import g, Flask, request, jsonify
 from flask_cors import CORS
 
 from inventory_provider import environment
@@ -54,7 +54,24 @@ def create_app(setup_logging=True):
     @auth.login_required
     def secure_before_request():
         """Enforces authentication for all routes"""
-        pass
+        client = g.get("auth_service")
+
+        if not client:
+            # This allows clients to access any resource without providing an API key
+            # TODO: Only for testing, should be removed in Production
+            return
+            # return jsonify({"error": "Unauthorized"}), 403
+
+        CLIENT_PERMISSIONS = {
+            "serviceA": ["msr"],
+            "serviceB": ["testing"],
+        }
+
+        allowed_routes = CLIENT_PERMISSIONS.get(client, [])
+        route = request.path.strip("/").split("/")[0]
+
+        if route not in allowed_routes:
+            return jsonify({"error": "Forbidden"}), 403
 
     # IMS based routes
 
diff --git a/inventory_provider/auth.py b/inventory_provider/auth.py
index 1f995033b2b468995712e9d41f266e14a48a49e1..466073e33c661ccf03fca9f5f60e9b2f8d8401f9 100644
--- a/inventory_provider/auth.py
+++ b/inventory_provider/auth.py
@@ -1,4 +1,4 @@
-from flask import Blueprint, current_app
+from flask import Blueprint, current_app, g
 from flask_httpauth import HTTPTokenAuth
 
 auth = HTTPTokenAuth(scheme="ApiKey")
@@ -12,6 +12,7 @@ def verify_api_key(api_key):
 
     for service, details in config['api-keys'].items():
         if details.get('api-key') == api_key:
+            g.auth_service = service
             return service
     return None