diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 41e9036..43f4224 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,6 +2,8 @@
 
 class ApplicationController < ActionController::Base
   helper Mitlibraries::Theme::Engine.helpers
+  before_action :require_user
+  skip_before_action :require_user, only: :new_session_path
 
   rescue_from CanCan::AccessDenied do
     redirect_to root_path, alert: 'Not authorized.'
@@ -10,4 +12,12 @@ class ApplicationController < ActionController::Base
   def new_session_path(_scope)
     root_path
   end
+
+  private
+
+  def require_user
+    return if current_user
+
+    redirect_to root_path, alert: 'Please sign in to continue'
+  end
 end
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
index 951a568..51dd16e 100644
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -5,6 +5,7 @@ class GraphqlController < ApplicationController
   # This allows for outside API access while preventing CSRF attacks,
   # but you'll have to authenticate your user separately
   protect_from_forgery with: :null_session
+  skip_before_action :require_user
 
   def execute
     variables = prepare_variables(params[:variables])
diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb
index c41a44b..eb1716c 100644
--- a/app/controllers/static_controller.rb
+++ b/app/controllers/static_controller.rb
@@ -1,5 +1,13 @@
 # frozen_string_literal: true
 
 class StaticController < ApplicationController
+  skip_before_action :require_user, only: :index
+
   def index; end
+
+  def playground
+    authorize! :view, :playground
+
+    render layout: false
+  end
 end
diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index a08cb73..e58fb37 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -6,6 +6,7 @@
 module Users
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     include FakeAuthConfig
+    skip_before_action :require_user
 
     def openid_connect
       @user = User.from_omniauth(request.env['omniauth.auth'])
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 998253a..4c4f547 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -10,6 +10,9 @@ def initialize(user)
     return if user.blank?
     # Rules will go here.
 
+    # all authenticated
+    # can :view, :playground
+
     return unless user.admin?
 
     can :manage, :all
diff --git a/app/views/layouts/_site_nav.html.erb b/app/views/layouts/_site_nav.html.erb
index a777138..7f1be8a 100644
--- a/app/views/layouts/_site_nav.html.erb
+++ b/app/views/layouts/_site_nav.html.erb
@@ -13,6 +13,9 @@
             <% if can? :index, Term %>
               <%= link_to('Admin', admin_root_path, class: 'nav-item') %>
             <% end %>
+            <% if can? :view, :playground %>
+              <%= link_to('Playground', '/playground', class: 'nav-item') %>
+            <% end %>
           <% end %>
         </nav>
         <nav class="nav-user" aria-label="User menu">
diff --git a/public/playground.html b/app/views/static/playground.html.erb
similarity index 100%
rename from public/playground.html
rename to app/views/static/playground.html.erb
diff --git a/config/routes.rb b/config/routes.rb
index f6478b3..8a20d39 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -25,6 +25,8 @@
   # Can be used by load balancers and uptime monitors to verify that the app is live.
   get 'up' => 'rails/health#show', as: :rails_health_check
 
+  get 'playground', to: 'static#playground'
+
   # Defines the root path route ("/")
   root to: 'static#index'
 end
diff --git a/test/controllers/static_controller_test.rb b/test/controllers/static_controller_test.rb
new file mode 100644
index 0000000..0b911bb
--- /dev/null
+++ b/test/controllers/static_controller_test.rb
@@ -0,0 +1,37 @@
+require 'test_helper'
+
+class StaticControllerTest < ActionDispatch::IntegrationTest
+  test 'root url is accessible without authentication' do
+    get '/'
+
+    assert_response :success
+  end
+
+  test 'playground url is not accessible without authentication' do
+    get '/playground'
+
+    assert_redirected_to '/'
+    follow_redirect!
+
+    assert_select 'div.alert', text: 'Please sign in to continue', count: 1
+  end
+
+  test 'playground url is accessible to admins when authenticated' do
+    sign_in users(:admin)
+
+    get '/playground'
+
+    assert_response :success
+  end
+
+  test 'playground url is not accessible to basic users when authenticated' do
+    sign_in users(:basic)
+
+    get '/playground'
+
+    assert_redirected_to '/'
+    follow_redirect!
+
+    assert_select 'div.alert', text: 'Not authorized.', count: 1
+  end
+end
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 2207e14..0ba70c7 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -19,6 +19,12 @@
   config.hook_into :webmock
 end
 
+module ActionDispatch
+  class IntegrationTest
+    include Devise::Test::IntegrationHelpers
+  end
+end
+
 module ActiveSupport
   class TestCase
     # Run tests in parallel with specified workers