diff --git a/backend/app/Http/Controllers/AuthController.php b/backend/app/Http/Controllers/AuthController.php
index aed50c0..1bdfd6d 100644
--- a/backend/app/Http/Controllers/AuthController.php
+++ b/backend/app/Http/Controllers/AuthController.php
@@ -39,7 +39,6 @@ class AuthController extends Controller
 
     public function login(Request $request)
     {
-        //TODO: https://stackoverflow.com/a/73980629
         if (!Auth::attempt($request->only('username', 'password'))) {
             return response()->json([
                 'message' => 'Invalid login details'
@@ -60,9 +59,14 @@ class AuthController extends Controller
 
     public function logout(Request $request)
     {
-        //TODO: https://stackoverflow.com/a/73980629
         Logger::log("Logout");
-        auth('web')->logout();
+        if(
+            method_exists(auth()->user(), 'currentAccessToken') &&
+            method_exists(auth()->user()->currentAccessToken(), 'delete')
+        ) {
+            auth()->user()->currentAccessToken()->delete();
+        }
+        auth()->guard('api')->logout();
         return;
     }
 
@@ -81,6 +85,18 @@ class AuthController extends Controller
 
     public function impersonate(Request $request, $user)
     {
+        if(!$request->user()) {
+            return response()->json([
+                'message' => 'Unauthorized'
+            ], 401);
+        }
+        $authUser = User::find($request->user()->id);
+        if(!$authUser->canImpersonate()) {
+            return response()->json([
+                'message' => 'Unauthorized'
+            ], 401);
+        }
+
         $impersonatedUser = User::find($user);
         $request->user()->impersonate($impersonatedUser);
         $token = $impersonatedUser->createToken('auth_token')->plainTextToken;
@@ -93,6 +109,12 @@ class AuthController extends Controller
     
     public function stopImpersonating(Request $request)
     {
+        if(!$request->user()) {
+            return response()->json([
+                'message' => 'Unauthorized'
+            ], 401);
+        }
+
         $request->user()->leaveImpersonation();
         return;
     }
diff --git a/backend/app/Http/Kernel.php b/backend/app/Http/Kernel.php
index b6ea116..0f3607a 100644
--- a/backend/app/Http/Kernel.php
+++ b/backend/app/Http/Kernel.php
@@ -39,9 +39,11 @@ class Kernel extends HttpKernel
         ],
 
         'api' => [
+            \App\Http\Middleware\EncryptCookies::class,
             \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
             \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            \Illuminate\Session\Middleware\StartSession::class,
         ],
     ];
 
diff --git a/backend/config/auth.php b/backend/config/auth.php
index cae0028..0a123c3 100644
--- a/backend/config/auth.php
+++ b/backend/config/auth.php
@@ -14,7 +14,7 @@ return [
     */
 
     'defaults' => [
-        'guard' => 'web',
+        'guard' => 'api',
         'passwords' => 'users',
     ],
 
@@ -40,6 +40,11 @@ return [
             'driver' => 'session',
             'provider' => 'users',
         ],
+        'api' => [
+            'driver' => 'session',
+            'provider' => 'users',
+            'hash' => true,
+        ]
     ],
 
     /*
diff --git a/backend/config/laratrust.php b/backend/config/laratrust.php
index aeffb85..a3ff0d5 100644
--- a/backend/config/laratrust.php
+++ b/backend/config/laratrust.php
@@ -299,7 +299,7 @@ return [
         | These middleware will get attached onto each Laratrust panel route.
         |
         */
-        'middleware' => ['web'],
+        'middleware' => ['api'],
 
         /*
         |--------------------------------------------------------------------------
diff --git a/backend/config/sanctum.php b/backend/config/sanctum.php
index 86703a0..6d3d984 100644
--- a/backend/config/sanctum.php
+++ b/backend/config/sanctum.php
@@ -33,7 +33,7 @@ return [
     |
     */
 
-    'guard' => ['web'],
+    'guard' => ['api'],
 
     /*
     |--------------------------------------------------------------------------
diff --git a/backend/routes/api.php b/backend/routes/api.php
index 41861e1..c420c3f 100644
--- a/backend/routes/api.php
+++ b/backend/routes/api.php
@@ -25,15 +25,14 @@ use Illuminate\Support\Facades\Artisan;
 */
 
 Route::post('/login', [AuthController::class, 'login']);
+Route::post('/impersonate/{user}', [AuthController::class, 'impersonate']);
+Route::post('/stop_impersonating', [AuthController::class, 'stopImpersonating']);
 
-Route::middleware('auth:web')->group( function () {
+Route::middleware('auth:sanctum')->group( function () {
     //Route::post('/register', [AuthController::class, 'register']); //TODO: replace with admin only route
 
     Route::get('/me', [AuthController::class, 'me']);
     Route::post('/me', [AuthController::class, 'me']);
-    
-    Route::post('/impersonate/{user}', [AuthController::class, 'impersonate']);
-    Route::post('/stop_impersonating', [AuthController::class, 'stopImpersonating']);
 
     Route::get('/list', [UserController::class, 'index']);