diff --git a/services/web/app/coffee/infrastructure/ExpressLocals.coffee b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
index 100fd28bd6..4c6b3a7722 100644
--- a/services/web/app/coffee/infrastructure/ExpressLocals.coffee
+++ b/services/web/app/coffee/infrastructure/ExpressLocals.coffee
@@ -66,7 +66,7 @@ logger.log "Finished generating file fingerprints"
 cdnAvailable = Settings.cdn?.web?.host?
 darkCdnAvailable = Settings.cdn?.web?.darkHost?
 
-module.exports = (app, webRouter, apiRouter)->
+module.exports = (app, webRouter, privateApiRouter, publicApiRouter)->
 	webRouter.use (req, res, next)->
 		res.locals.session = req.session
 		next()
@@ -82,7 +82,8 @@ module.exports = (app, webRouter, apiRouter)->
 			)
 		next()
 	webRouter.use addSetContentDisposition
-	apiRouter.use addSetContentDisposition
+	privateApiRouter.use addSetContentDisposition
+	publicApiRouter.use addSetContentDisposition
 
 	webRouter.use (req, res, next)->
 		req.externalAuthenticationSystemUsed = res.locals.externalAuthenticationSystemUsed = ->
diff --git a/services/web/app/coffee/infrastructure/Modules.coffee b/services/web/app/coffee/infrastructure/Modules.coffee
index 044b096c35..8c2e1756b6 100644
--- a/services/web/app/coffee/infrastructure/Modules.coffee
+++ b/services/web/app/coffee/infrastructure/Modules.coffee
@@ -15,14 +15,14 @@ module.exports = Modules =
 				@modules.push loadedModule
 		Modules.attachHooks()
 
-	applyRouter: (webRouter, apiRouter) ->
+	applyRouter: (webRouter, apiRouter, publicApiRouter) ->
 		for module in @modules
-			module.router?.apply?(webRouter, apiRouter)
+			module.router?.apply?(webRouter, apiRouter, publicApiRouter)
 
-	applyNonCsrfRouter: (webRouter, apiRouter) ->
+	applyNonCsrfRouter: (webRouter, apiRouter, publicApiRouter) ->
 		for module in @modules
-			module.nonCsrfRouter?.apply(webRouter, apiRouter)
-			module.router?.applyNonCsrfRouter?(webRouter, apiRouter)
+			module.nonCsrfRouter?.apply(webRouter, apiRouter, publicApiRouter)
+			module.router?.applyNonCsrfRouter?(webRouter, apiRouter, publicApiRouter)
 			
 	viewIncludes: {}
 	loadViewIncludes: (app) ->
diff --git a/services/web/app/coffee/infrastructure/Server.coffee b/services/web/app/coffee/infrastructure/Server.coffee
index de467503bf..12172aa94d 100644
--- a/services/web/app/coffee/infrastructure/Server.coffee
+++ b/services/web/app/coffee/infrastructure/Server.coffee
@@ -52,7 +52,8 @@ else
 app = express()
 
 webRouter = express.Router()
-apiRouter = express.Router()
+privateApiRouter = express.Router()
+publicApiRouter = express.Router()
 
 if Settings.behindProxy
 	app.enable('trust proxy')
@@ -108,7 +109,7 @@ Modules.hooks.fire 'passportSetup', passport, (err) ->
 	if err?
 		logger.err {err}, "error setting up passport in modules"
 
-Modules.applyNonCsrfRouter(webRouter, apiRouter)
+Modules.applyNonCsrfRouter(webRouter, privateApiRouter, publicApiRouter)
 
 webRouter.use csrfProtection
 webRouter.use translations.expressMiddlewear
@@ -122,7 +123,7 @@ webRouter.use (req, res, next) ->
 	next()
 
 webRouter.use ReferalConnect.use
-expressLocals(app, webRouter, apiRouter)
+expressLocals(app, webRouter, privateApiRouter, publicApiRouter)
 
 if app.get('env') == 'production'
 	logger.info "Production Enviroment"
@@ -143,7 +144,7 @@ webRouter.use (req, res, next) ->
 		res.render("general/closed", {title:"maintenance"})
 
 profiler = require "v8-profiler"
-apiRouter.get "/profile", (req, res) ->
+privateApiRouter.get "/profile", (req, res) ->
 	time = parseInt(req.query.time || "1000")
 	profiler.startProfiling("test")
 	setTimeout () ->
@@ -165,16 +166,17 @@ notDefined = (x) -> !x?
 enableApiRouter = Settings.web?.enableApiRouter
 if enableApiRouter or notDefined(enableApiRouter)
 	logger.info("providing api router");
-	app.use(apiRouter)
+	app.use(privateApiRouter)
 	app.use(ErrorController.handleApiError)
 
 enableWebRouter = Settings.web?.enableWebRouter
 if enableWebRouter or notDefined(enableWebRouter)
 	logger.info("providing web router");
+	app.use(publicApiRouter) # public API goes with web router for public access
 	app.use(webRouter)
 	app.use(ErrorController.handleError)
 
-router = new Router(webRouter, apiRouter)
+router = new Router(webRouter, privateApiRouter, publicApiRouter)
 
 module.exports =
 	app: app
diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee
index d9bfece40a..7658caaf0a 100644
--- a/services/web/app/coffee/router.coffee
+++ b/services/web/app/coffee/router.coffee
@@ -49,7 +49,7 @@ logger = require("logger-sharelatex")
 _ = require("underscore")
 
 module.exports = class Router
-	constructor: (webRouter, apiRouter)->
+	constructor: (webRouter, apiRouter, publicApiRouter)->
 		if !Settings.allowPublicAccess
 			webRouter.all '*', AuthenticationController.requireGlobalLogin
 
@@ -77,7 +77,7 @@ module.exports = class Router
 		ContactRouter.apply(webRouter, apiRouter)
 		AnalyticsRouter.apply(webRouter, apiRouter)
 
-		Modules.applyRouter(webRouter, apiRouter)
+		Modules.applyRouter(webRouter, apiRouter, publicApiRouter)
 
 
 		if Settings.enableSubscriptions