diff --git a/src/server.js b/src/server.js
index f8f64c99f..4c225c5e2 100644
--- a/src/server.js
+++ b/src/server.js
@@ -107,6 +107,10 @@ async function initializeExpressSync() {
     router.post('/api/v1/cloudron/password_reset',         json,           routes.cloudron.passwordReset);
     router.post('/api/v1/cloudron/setup_account',          json,           routes.cloudron.setupAccount);
 
+    // config route (for dashboard). can return some private configuration unlike status
+    router.get ('/api/v1/config',          token, authorizeUser, routes.cloudron.getConfig);
+    router.get ('/api/v1/platform_status', token, authorizeUser, routes.cloudron.getPlatformStatus);
+
     // cloudron routes
     router.get ('/api/v1/cloudron/language',           token, authorizeAdmin, routes.cloudron.getLanguage);
     router.post('/api/v1/cloudron/language',     json, token, authorizeAdmin, routes.cloudron.setLanguage);
@@ -163,10 +167,6 @@ async function initializeExpressSync() {
     router.post('/api/v1/backups/policy',     json, token, authorizeOwner, routes.backups.setPolicy);
     router.post('/api/v1/backups/:backupId',  json, token, authorizeAdmin, routes.backups.update);
 
-    // config route (for dashboard). can return some private configuration unlike status
-    router.get ('/api/v1/config',          token, authorizeUser, routes.cloudron.getConfig);
-    router.get ('/api/v1/platform_status', token, authorizeUser, routes.cloudron.getPlatformStatus);
-
     // working off the user behind the provided token
     router.get ('/api/v1/profile',                                       token, authorizeUser, routes.profile.get);
     router.post('/api/v1/profile',                                 json, token, authorizeUser, routes.profile.authorize, routes.profile.update);