diff --git a/engine/src/auth/middleware.rs b/engine/src/auth/middleware.rs
index 301903c..2a13d8f 100644
--- a/engine/src/auth/middleware.rs
+++ b/engine/src/auth/middleware.rs
@@ -1,6 +1,10 @@
 use std::sync::Arc;
 
 use poem::{web::Data, Error, FromRequest, Request, RequestBody, Result};
+use poem_openapi::{
+    registry::{MetaSecurityScheme, Registry},
+    ApiExtractor, ApiExtractorType, ExtractParamOptions,
+};
 use reqwest::StatusCode;
 
 use super::hash::hash_session;
@@ -24,9 +28,19 @@ impl AuthToken {
     }
 }
 
-impl<'a> FromRequest<'a> for AuthToken {
-    async fn from_request(req: &'a Request, body: &mut RequestBody) -> Result<Self> {
-        let state = Data::<&Arc<AppState>>::from_request(req, body).await?;
+impl<'a> ApiExtractor<'a> for AuthToken {
+    const TYPES: &'static [ApiExtractorType] = &[ApiExtractorType::SecurityScheme];
+
+    type ParamType = ();
+
+    type ParamRawType = ();
+
+    async fn from_request(
+        req: &'a Request,
+        body: &mut RequestBody,
+        _param_opts: ExtractParamOptions<Self::ParamType>,
+    ) -> Result<Self> {
+        let state = <Data<&Arc<AppState>> as FromRequest>::from_request(req, body).await?;
 
         // extract cookies from request
         let _cookies = req.headers().get("Cookie").and_then(|x| x.to_str().ok());
@@ -57,4 +71,23 @@ impl<'a> FromRequest<'a> for AuthToken {
             None => Ok(AuthToken::None),
         }
     }
+
+    fn register(registry: &mut Registry) {
+        registry.create_security_scheme(
+            "AuthToken",
+            MetaSecurityScheme {
+                ty: "http",
+                description: Some("Session token for authentication"),
+                name: None,
+                key_in: None,
+                scheme: Some("bearer"),
+                bearer_format: Some("Bearer"),
+                flows: None,
+                openid_connect_url: None,
+            },
+        );
+    }
+    fn security_schemes() -> Vec<&'static str> {
+        vec!["AuthToken"]
+    }
 }
diff --git a/engine/src/routes/sessions/mod.rs b/engine/src/routes/sessions/mod.rs
index 1bfe3f7..6d60eb3 100644
--- a/engine/src/routes/sessions/mod.rs
+++ b/engine/src/routes/sessions/mod.rs
@@ -5,16 +5,16 @@ use poem_openapi::{param::Path, payload::Json, OpenApi};
 use reqwest::StatusCode;
 use tracing::info;
 
-use crate::{auth::middleware::AuthToken, models::sessions::Session, state::AppState};
 use super::ApiTags;
-pub mod delete;
+use crate::{auth::middleware::AuthToken, models::sessions::Session, state::AppState};
+// pub mod delete;
 
 pub struct SessionsApi;
 
 #[OpenApi]
 impl SessionsApi {
     /// /sessions
-    /// 
+    ///
     /// Get all sessions for the current user
     #[oai(path = "/sessions", method = "get", tag = "ApiTags::Auth")]
     async fn get_sessions(
@@ -22,7 +22,9 @@ impl SessionsApi {
         auth: AuthToken,
         state: Data<&Arc<AppState>>,
     ) -> Result<Json<Vec<Session>>> {
-        let active_user = auth.ok().ok_or(Error::from_status(StatusCode::UNAUTHORIZED))?;
+        let active_user = auth
+            .ok()
+            .ok_or(Error::from_status(StatusCode::UNAUTHORIZED))?;
 
         Ok(Json(
             Session::get_by_user_id(&state.database, active_user.session.user_id)
@@ -32,9 +34,13 @@ impl SessionsApi {
     }
 
     /// /sessions/:session_id
-    /// 
+    ///
     /// Delete a Session by `session_id`
-    #[oai(path = "/sessions/:session_id", method = "delete", tag = "ApiTags::Auth")]
+    #[oai(
+        path = "/sessions/:session_id",
+        method = "delete",
+        tag = "ApiTags::Auth"
+    )]
     async fn delete_session(
         &self,
         auth: AuthToken,