diff --git a/Gemfile b/Gemfile
index a0600ced..b7ea08e9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -7,6 +7,8 @@ gem 'devise'
 gem 'redis'
 gem 'pg'
 gem 'pundit'
+gem 'cancan'
+gem 'pundit_extra'
 gem 'formula'
 gem 'formtastic'
 gem 'json'
diff --git a/Gemfile.lock b/Gemfile.lock
index 9e9731a6..a2a3b031 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -56,8 +56,9 @@ GEM
     binding_of_caller (0.7.2)
       debug_inspector (>= 0.0.1)
     builder (3.2.2)
-    byebug (5.0.0)
-      columnize (= 0.9.0)
+    byebug (8.2.2)
+    cancan (1.6.10)
+    cancancan (1.10.1)
     climate_control (0.0.3)
       activesupport (>= 3.0)
     cocaine (0.5.8)
@@ -144,6 +145,7 @@ GEM
       pry (>= 0.9.10)
     pundit (1.1.0)
       activesupport (>= 3.0.0)
+    pundit_extra (0.1.1)
     quiet_assets (1.1.0)
       railties (>= 3.1, < 5.0)
     rack (1.6.4)
@@ -180,7 +182,7 @@ GEM
       activesupport (= 4.2.4)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.0.1)
+    rake (11.1.0)
     redis (3.2.2)
     responders (2.1.1)
       railties (>= 4.2.0, < 5.1)
@@ -251,6 +253,7 @@ DEPENDENCIES
   best_in_place
   better_errors
   binding_of_caller
+  cancan
   coffee-rails
   devise
   dotenv
@@ -268,6 +271,7 @@ DEPENDENCIES
   pry-byebug
   pry-rails
   pundit
+  pundit_extra
   quiet_assets
   rails (= 4.2.4)
   rails3-jquery-autocomplete
diff --git a/app/controllers/api/restful_controller.rb b/app/controllers/api/restful_controller.rb
index d56783a0..ca7ff481 100644
--- a/app/controllers/api/restful_controller.rb
+++ b/app/controllers/api/restful_controller.rb
@@ -1,24 +1,32 @@
 class API::RestfulController < ActionController::Base
+  include Pundit
+  include PunditExtra
+
   snorlax_used_rest!
 
+  rescue_from(Pundit::NotAuthorizedError) { |e| respond_with_standard_error e, 403 }
+  load_and_authorize_resource except: [:index, :create] 
+
   def create
-    raise CanCan::AccessDenied.new unless current_user.is_logged_in?
+    authorize resource_class
     instantiate_resouce
     resource.user = current_user
     create_action
     respond_with_resource
   end
 
-  def show
-    load_resource
-    raise AccessDenied.new unless resource.authorize_to_show(current_user)
-    respond_with_resource
-  end
-
   private
 
+  def accessible_records
+    if current_user
+      visible_records
+    else
+      public_records
+    end
+  end
+
   def current_user
-    super || token_user || LoggedOutUser.new
+    super || token_user || nil
   end
 
   def token_user
diff --git a/app/controllers/api/tokens_controller.rb b/app/controllers/api/tokens_controller.rb
index cc54e531..6ef01e69 100644
--- a/app/controllers/api/tokens_controller.rb
+++ b/app/controllers/api/tokens_controller.rb
@@ -1,7 +1,9 @@
 class Api::TokensController < API::RestfulController
+
+  skip_authorization
  
   def my_tokens
-    raise CanCan::AccessDenied.new unless current_user.is_logged_in?
+    raise Pundit::NotAuthorizedError.new unless current_user.is_logged_in?
     instantiate_collection page_collection: false, timeframe_collection: false
     respond_with_collection
   end
diff --git a/app/models/logged_out_user.rb b/app/models/logged_out_user.rb
deleted file mode 100644
index 14e0cfb9..00000000
--- a/app/models/logged_out_user.rb
+++ /dev/null
@@ -1,7 +0,0 @@
-class LoggedOutUser
-
-  FALSE_METHODS = [:is_logged_in?]
-
-  FALSE_METHODS.each { |method| define_method(method, -> { false }) }
-
-end