diff --git a/www/web/warppay/urls.py b/www/web/warppay/urls.py
index 3e053b5ecbbe701b421be348096c56fa3f8444f2..20cb31b82c5ac1cab92b35c2292ced4c14a9ddc5 100644
--- a/www/web/warppay/urls.py
+++ b/www/web/warppay/urls.py
@@ -7,7 +7,7 @@ urlpatterns = [
     url(r'^api/users/(?P<user_id>\w+)/$', views.user_list),
     url(r'^api/products/$', views.product_list),
     url(r'^api/categories/$', views.category_list),
-    url(r'^api/gen_token/$', views.gen_token),
+    # url(r'^api/gen_token/$', views.gen_token),
     url(r'^api/transaction/(?P<user_id>\w+)/$', views.transaction),
     url(r'^api/products/(?P<prod_id>\w+)/barcode/$', views.addBarcode),
 
diff --git a/www/web/warppay/views.py b/www/web/warppay/views.py
index efe221c4332fbe1d0a6061ab0d5db53d64286f65..42e223ea8a0cc51b9e175dac995c3a3e94b7d3bc 100644
--- a/www/web/warppay/views.py
+++ b/www/web/warppay/views.py
@@ -13,9 +13,9 @@ from rest_framework import status
 
 # logging.getLogger('main').info(token.key)
 
-@api_view(['GET', 'PUT'])
-#@authentication_classes((TokenAuthentication,))
-#@permission_classes((IsAuthenticated,))
+@api_view(['GET'])
+@authentication_classes((TokenAuthentication,))
+@permission_classes((IsAuthenticated,))
 def category_list(request):
     if request.method == 'GET':
         products = ProductCategory.objects.all()
@@ -26,8 +26,8 @@ def category_list(request):
 
 
 @api_view(['GET', 'PUT'])
-#@authentication_classes((TokenAuthentication,))
-#@permission_classes((IsAuthenticated,))
+@authentication_classes((TokenAuthentication,))
+@permission_classes((IsAuthenticated,))
 def product_list(request):
     if request.method == 'GET':
         products = Product.objects.all()
@@ -62,8 +62,8 @@ def gen_token(request):
     return Response()
 
 @api_view(['GET', 'PUT'])
-#@authentication_classes((TokenAuthentication,))
-#@permission_classes((IsAuthenticated,))
+@authentication_classes((TokenAuthentication,))
+@permission_classes((IsAuthenticated,))
 def user_list(request, user_id = 0):
     if request.method == 'GET':
         sync_users()
@@ -117,8 +117,8 @@ def user_list(request, user_id = 0):
 
 
 @api_view(['PUT'])
-#@authentication_classes((TokenAuthentication,))
-#@permission_classes((IsAuthenticated,))
+@authentication_classes((TokenAuthentication,))
+@permission_classes((IsAuthenticated,))
 def transaction(request, user_id=None):
     if request.method == 'PUT':
         if 'trans_type' not in request.data or not user_id: