diff --git a/spog/api/src/config/mod.rs b/spog/api/src/config/mod.rs
index c230a9bbd..9d02ef84f 100644
--- a/spog/api/src/config/mod.rs
+++ b/spog/api/src/config/mod.rs
@@ -6,7 +6,10 @@ use anyhow::bail;
 use spog_model::config::Configuration;
 use std::borrow::Cow;
 use std::path::PathBuf;
+use std::sync::Arc;
 use tracing::instrument;
+use trustification_auth::authenticator::Authenticator;
+use trustification_infrastructure::new_auth;
 
 pub struct Config {
     content: Configuration,
@@ -15,27 +18,49 @@ pub struct Config {
 
 impl Config {
     #[instrument(skip(self), err)]
-    async fn retrieve(&self) -> anyhow::Result<Cow<'_, Configuration>> {
+    async fn retrieve(&self, public: bool) -> anyhow::Result<Cow<'_, Configuration>> {
         Ok(match &self.source {
             Some(config) => {
                 // FIXME: need to cache instead re-parsing every time
                 // TODO: when we cache the result, attach a probe to it which fails if loading fails
                 let content = tokio::fs::read(config).await?;
-                Cow::Owned(serde_yaml::from_slice(&content)?)
+                let mut result = serde_yaml::from_slice(&content)?;
+                if public {
+                    result = Self::make_public(result);
+                }
+                Cow::Owned(result)
             }
             None => Cow::Borrowed(&self.content),
         })
     }
+
+    fn make_public(config: Configuration) -> Configuration {
+        Configuration {
+            global: config.global,
+            ..Default::default()
+        }
+    }
 }
 
-pub async fn get_config(config: web::Data<Config>) -> HttpResponse {
-    match config.retrieve().await {
+pub async fn get_config(config: &Config, public: bool) -> HttpResponse {
+    match config.retrieve(public).await {
         Ok(config) => HttpResponse::Ok().json(&config),
         Err(err) => HttpResponse::InternalServerError().body(err.to_string()),
     }
 }
 
-pub(crate) async fn configurator(source: Option<PathBuf>) -> anyhow::Result<impl Fn(&mut ServiceConfig) + Clone> {
+pub async fn get_private_config(config: web::Data<Config>) -> HttpResponse {
+    get_config(&config, false).await
+}
+
+pub async fn get_public_config(config: web::Data<Config>) -> HttpResponse {
+    get_config(&config, true).await
+}
+
+pub(crate) async fn configurator(
+    source: Option<PathBuf>,
+    auth: Option<Arc<Authenticator>>,
+) -> anyhow::Result<impl Fn(&mut ServiceConfig) + Clone> {
     let content = serde_yaml::from_slice(include_bytes!("default.yaml"))?;
 
     // do an initial check
@@ -53,7 +78,7 @@ pub(crate) async fn configurator(source: Option<PathBuf>) -> anyhow::Result<impl
                 source: Some(source),
             };
 
-            let _ = config.retrieve().await?;
+            let _ = config.retrieve(false).await?;
 
             config
         }
@@ -69,7 +94,12 @@ pub(crate) async fn configurator(source: Option<PathBuf>) -> anyhow::Result<impl
     Ok(move |service_config: &mut ServiceConfig| {
         service_config
             .app_data(config.clone())
-            .service(web::resource("/api/v1/config").to(get_config));
+            .service(
+                web::resource("/api/v1/config")
+                    .wrap(new_auth!(auth.clone()))
+                    .to(get_private_config),
+            )
+            .service(web::resource("/api/v1/config/public").to(get_public_config));
     })
 }
 
diff --git a/spog/api/src/server.rs b/spog/api/src/server.rs
index 7029799ca..ffd5f4e14 100644
--- a/spog/api/src/server.rs
+++ b/spog/api/src/server.rs
@@ -42,8 +42,6 @@ impl Server {
             provider: provider.clone(),
         });
 
-        let config_configurator = config::configurator(self.run.config).await?;
-
         let (authn, authz) = self.run.auth.split(self.run.devmode)?.unzip();
         let authenticator: Option<Arc<Authenticator>> = Authenticator::from_config(authn)
             .await
@@ -63,6 +61,8 @@ impl Server {
             log::info!("Snyk token is present");
         }
 
+        let config_configurator = config::configurator(self.run.config, authenticator.clone()).await?;
+
         let crda = self
             .run
             .crda_url
diff --git a/spog/ui/crates/backend/src/config.rs b/spog/ui/crates/backend/src/config.rs
index bdf7fcee9..d03749900 100644
--- a/spog/ui/crates/backend/src/config.rs
+++ b/spog/ui/crates/backend/src/config.rs
@@ -15,8 +15,15 @@ impl ConfigService {
         Self { backend, access_token }
     }
 
-    pub async fn get_config(&self) -> Result<Configuration, ApiError> {
-        let url = self.backend.join(Endpoint::Api, "/api/v1/config")?;
+    pub async fn get_config(&self, public: bool) -> Result<Configuration, ApiError> {
+        let url = self.backend.join(
+            Endpoint::Api,
+            if public {
+                "/api/v1/config/public"
+            } else {
+                "/api/v1/config"
+            },
+        )?;
 
         let response = gloo_net::http::Request::get(url.as_str())
             .latest_access_token(&self.access_token)
diff --git a/spog/ui/crates/utils/src/config/components.rs b/spog/ui/crates/utils/src/config/components.rs
index ad889c096..ca245866b 100644
--- a/spog/ui/crates/utils/src/config/components.rs
+++ b/spog/ui/crates/utils/src/config/components.rs
@@ -9,6 +9,8 @@ use yew_oauth2::hook::use_latest_access_token;
 pub struct ConfigurationProperties {
     #[prop_or_default]
     pub children: Children,
+    #[prop_or_default]
+    pub public: bool,
 }
 
 #[function_component(Configuration)]
@@ -17,13 +19,13 @@ pub fn configuration(props: &ConfigurationProperties) -> Html {
     let access_token = use_latest_access_token();
 
     let config = use_async_with_cloned_deps(
-        |backend| async {
+        |(backend, public)| async move {
             ConfigService::new(backend, access_token)
-                .get_config()
+                .get_config(public)
                 .await
                 .map(Rc::new)
         },
-        backend,
+        (backend, props.public),
     );
 
     match &*config {
diff --git a/spog/ui/src/app.rs b/spog/ui/src/app.rs
index 95b42f4f8..aac95b839 100644
--- a/spog/ui/src/app.rs
+++ b/spog/ui/src/app.rs
@@ -74,7 +74,7 @@ fn application_with_backend() -> Html {
                 scopes={backend.endpoints.oidc.scopes()}
                 {login_options}
             >
-                <Configuration>
+                <Configuration public=true>
                     { consent(html!(
                         <BackdropViewer>
                             <ToastViewer>
diff --git a/spog/ui/src/console/mod.rs b/spog/ui/src/console/mod.rs
index b8bfd21ff..a1d50f9f4 100644
--- a/spog/ui/src/console/mod.rs
+++ b/spog/ui/src/console/mod.rs
@@ -7,6 +7,7 @@ use spog_ui_components::{
     theme::DarkModeEntry,
 };
 use spog_ui_navigation::{AppRoute, View};
+use spog_ui_utils::config::components::Configuration;
 use spog_ui_utils::{analytics::*, config::*, hints::*};
 use yew::prelude::*;
 use yew_consent::hook::use_consent_context;
@@ -203,9 +204,11 @@ fn authenticated_page(props: &ChildrenProperties) -> Html {
     );
 
     html!(
-        <Page {brand} {sidebar} {tools}>
-            { props.children.clone() }
-        </Page>
+        <Configuration>
+            <Page {brand} {sidebar} {tools}>
+                { props.children.clone() }
+            </Page>
+        </Configuration>
     )
 }