diff --git a/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java b/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java
index 5b03101..baee758 100644
--- a/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java
+++ b/paladins-webservice/src/main/java/dev/luzifer/spring/config/ApiKeyAuthFilter.java
@@ -3,12 +3,15 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 
+@Order(Ordered.HIGHEST_PRECEDENCE)
 @Slf4j
 public class ApiKeyAuthFilter extends AbstractAuthenticationProcessingFilter {
 
diff --git a/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java b/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
index 072bef3..ed857ea 100644
--- a/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
+++ b/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
@@ -13,7 +13,8 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
+import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 
 @Configuration
 @EnableWebSecurity
@@ -38,11 +39,14 @@ public ApiKeyAuthFilter apiKeyAuthFilter(AuthenticationManager authenticationMan
   public SecurityFilterChain securityFilterChain(
       HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
     http.csrf(AbstractHttpConfigurer::disable)
-        .addFilterBefore(
-            apiKeyAuthFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
+        .addFilterAfter(
+            apiKeyAuthFilter(authenticationManager), AnonymousAuthenticationFilter.class)
         .authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
         .sessionManagement(
-            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
+            session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+        .anonymous(AbstractHttpConfigurer::disable)
+        .exceptionHandling(
+            exception -> exception.authenticationEntryPoint(new Http403ForbiddenEntryPoint()));
 
     log.debug("API key: {}", apiKey);
     log.debug("API key header: {}", apiKeyHeader);