diff --git a/OAuthServer/Controllers/ExternalController.cs b/OAuthServer/Controllers/ExternalController.cs
new file mode 100644
index 0000000..af583f0
--- /dev/null
+++ b/OAuthServer/Controllers/ExternalController.cs
@@ -0,0 +1,32 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace OAuthServer.Controllers;
+
+[ApiController]
+[Route("")]
+public class ExternalController : ControllerBase
+{
+    private readonly ILogger<ExternalController> _logger;
+
+    public ExternalController(ILogger<ExternalController> logger)
+    {
+        _logger = logger;
+    }
+
+    [HttpPost]
+    [Authorize(Policy = "External")]
+    [Route("points")]
+    public ActionResult PostPoints(int points)
+    {
+        var id = HttpContext.User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
+        if (id == null)
+        {
+            return BadRequest();
+        }
+
+        _logger.LogInformation("User {} got {} points", id.Value, points);
+        return Ok();
+    }
+}
\ No newline at end of file
diff --git a/OAuthServer/Controllers/UserController.cs b/OAuthServer/Controllers/UserController.cs
new file mode 100644
index 0000000..01ce915
--- /dev/null
+++ b/OAuthServer/Controllers/UserController.cs
@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace OAuthServer.Controllers;
+
+[ApiController]
+[Route("")]
+public class UserController : ControllerBase
+{
+    
+    [HttpGet]
+    [Authorize(Policy = "User")]
+    [Route("user")]
+    public ActionResult GetUser()
+    {
+        
+        return Ok("Authorized as User");
+    }
+}
\ No newline at end of file