Since I want access to /api/* only allowed by logged in users I'm now simply fetching the route with the URLRouter and call the Userman authenticate method. Appears to be working.