diff --git a/go.work.sum b/go.work.sum
index 5715ec8..55c5587 100644
--- a/go.work.sum
+++ b/go.work.sum
@@ -779,6 +779,7 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.
 google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9 h1:+d6UwW1ElERBQ1pMjX1fJHEQIsACGO6EBeaiwKJgbrs=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
+google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53 h1:mVZqGNBNN8C63iGnWgHZSGbT/vG7voylnp4atysmReg=
 google.golang.org/genproto/googleapis/bytestream v0.0.0-20241015192408-796eee8c2d53/go.mod h1:T8O3fECQbif8cez15vxAcjbwXxvL2xbnvbQ7ZfiMAMs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
diff --git a/k8s/auth-server/base/auth-server-configmaps.yaml b/k8s/auth-server/base/auth-server-configmaps.yaml
index 98cf231..1179b43 100644
--- a/k8s/auth-server/base/auth-server-configmaps.yaml
+++ b/k8s/auth-server/base/auth-server-configmaps.yaml
@@ -7,22 +7,14 @@ data:
   rules.json: |
     [
       {
-        "id": "health-check",
+        "id": "k8s-health",
         "match": {
-          "url": "<^http://oathkeeper-proxy\\.default\\.svc\\.cluster\\.local:4455/authenticate$>",
-          "methods": [
-            "GET"],
-          "headers": {
-            "X-Original-Uri": [
-              "^/\\.well-known/health$"]
-          }
+          "url": "<^/health/(ready|alive|live)$>",
+          "methods": ["GET"]
         },
         "authenticators": [
           {
-            "handler": "anonymous",
-            "config": {
-              "subject": "guest"
-            }
+            "handler": "noop"
           }
         ],
         "authorizer": {
@@ -34,28 +26,18 @@ data:
           }
         ],
         "upstream": {
-          "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/health",
-          "preserve_host": false,
-          "preserve_path": false
+          "url": "http://oathkeeper-proxy.default.svc.cluster.local:4455"
         }
       },
       {
-        "id": "alive-check",
+        "id": "wellknown-endpoints",
         "match": {
-          "url": "<^http://oathkeeper-proxy\\.default\\.svc\\.cluster\\.local:4455/authenticate$>",
-          "methods": [
-            "GET"],
-          "headers": {
-            "X-Original-Uri": [
-              "^/\\.well-known/alive$"]
-          }
+          "url": "<^/decisions/.well-known/(alive|health)>",
+          "methods": ["GET"]
         },
         "authenticators": [
           {
-            "handler": "anonymous",
-            "config": {
-              "subject": "guest"
-            }
+            "handler": "noop"
           }
         ],
         "authorizer": {
@@ -68,8 +50,7 @@ data:
         ],
         "upstream": {
           "url": "http://eventrunner-api.eventrunner.svc.cluster.local:8200/.well-known/alive",
-          "preserve_host": false,
-          "preserve_path": false
+          "preserve_host": true
         }
       }
-    ]
+    ]
\ No newline at end of file
diff --git a/k8s/eventrunner-api/base/ingress.yaml b/k8s/eventrunner-api/base/ingress.yaml
index b3cf3dc..924f7a0 100644
--- a/k8s/eventrunner-api/base/ingress.yaml
+++ b/k8s/eventrunner-api/base/ingress.yaml
@@ -4,26 +4,24 @@ metadata:
   name: eventrunner-api
   namespace: eventrunner
   annotations:
-    cert-manager.io/cluster-issuer: threadr-issuer
-    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/authenticate"
-    nginx.ingress.kubernetes.io/auth-response-headers: "X-User,X-Tenant-ID,X-Request-Id,Authorization"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-url: "http://oathkeeper-proxy.default.svc.cluster.local:4455/decisions$request_uri"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
     nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Original-Uri $request_uri;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Original-URI $request_uri;
+      proxy_set_header X-Original-Method $request_method;
+      proxy_set_header Content-Length "";
 spec:
   ingressClassName: nginx
-  tls:
-    - hosts:
-        - api.tunnel.threadr.ai
-      secretName: eventrunner-api-tls
   rules:
     - host: api.tunnel.threadr.ai
       http:
         paths:
-          - path: /
+          - path: /.well-known
             pathType: Prefix
             backend:
               service:
                 name: eventrunner-api
                 port:
-                  number: 8200
+                  number: 8200
\ No newline at end of file
diff --git a/k8s/ory/oathkeeper/oathkeeper-values.yaml b/k8s/ory/oathkeeper/oathkeeper-values.yaml
index b4ae131..c412e91 100644
--- a/k8s/ory/oathkeeper/oathkeeper-values.yaml
+++ b/k8s/ory/oathkeeper/oathkeeper-values.yaml
@@ -34,12 +34,25 @@ oathkeeper:
     authenticators:
       anonymous:
         enabled: true
+        config:
+          subject: "guest"
       noop:
         enabled: true
 
     authorizers:
       allow:
         enabled: true
+      deny:
+        enabled: true
+
+    errors:
+      fallback:
+        - json
+      handlers:
+        json:
+          enabled: true
+          config:
+            verbose: true
 
     mutators:
       noop: