diff --git a/src/Squidex/Areas/Api/Controllers/Contents/ContentSwaggerController.cs b/src/Squidex/Areas/Api/Controllers/Contents/ContentSwaggerController.cs
index f1eab5c2f..9d458d6db 100644
--- a/src/Squidex/Areas/Api/Controllers/Contents/ContentSwaggerController.cs
+++ b/src/Squidex/Areas/Api/Controllers/Contents/ContentSwaggerController.cs
@@ -6,6 +6,7 @@
 // ==========================================================================
 
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Squidex.Areas.Api.Controllers.Contents.Generator;
 using Squidex.Domain.Apps.Entities;
@@ -31,6 +32,7 @@ namespace Squidex.Areas.Api.Controllers.Contents
         [HttpGet]
         [Route("content/{app}/docs/")]
         [ApiCosts(0)]
+        [AllowAnonymous]
         public IActionResult Docs(string app)
         {
             var vm = new DocsVM { Specification = $"~/content/{app}/swagger/v1/swagger.json" };
@@ -41,6 +43,7 @@ namespace Squidex.Areas.Api.Controllers.Contents
         [HttpGet]
         [Route("content/{app}/swagger/v1/swagger.json")]
         [ApiCosts(0)]
+        [AllowAnonymous]
         public async Task<IActionResult> GetSwagger(string app)
         {
             var schemas = await appProvider.GetSchemasAsync(AppId);
diff --git a/src/Squidex/Pipeline/AppResolver.cs b/src/Squidex/Pipeline/AppResolver.cs
index 5c25d01c4..5435b62f3 100644
--- a/src/Squidex/Pipeline/AppResolver.cs
+++ b/src/Squidex/Pipeline/AppResolver.cs
@@ -9,6 +9,7 @@ using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Squidex.Domain.Apps.Entities;
 using Squidex.Domain.Apps.Entities.Apps;
@@ -62,7 +63,7 @@ namespace Squidex.Pipeline
                 {
                     var set = user.Permissions();
 
-                    if (!set.Includes(Permissions.ForApp(Permissions.App, appName)))
+                    if (!set.Includes(Permissions.ForApp(Permissions.App, appName)) && !AllowAnonymous(context))
                     {
                         context.Result = new NotFoundResult();
                         return;
@@ -85,6 +86,11 @@ namespace Squidex.Pipeline
             await next();
         }
 
+        private static bool AllowAnonymous(ActionExecutingContext context)
+        {
+            return context.ActionDescriptor.FilterDescriptors.Any(x => x.Filter is AllowAnonymousFilter);
+        }
+
         private static PermissionSet FindByOpenIdClient(IAppEntity app, ClaimsPrincipal user)
         {
             var clientId = user.GetClientId();