diff --git a/build.gradle b/build.gradle
index 27b6f6d3cf..5b795d549f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -146,7 +146,7 @@ dependencies {
     compile "io.dropwizard.metrics:metrics-servlets:$dropwizardVersion"
     compile "io.dropwizard.metrics:metrics-jvm:$dropwizardVersion"
     compile 'org.apache.commons:commons-lang3:3.5'
-    compile 'org.zalando:nakadi-plugin-api:1.0.5'
+    compile 'org.zalando:nakadi-plugin-api:1.1.0'
     compile 'org.echocat.jomon:runtime:1.6.3'
 
     // kafka & zookeeper
diff --git a/src/main/java/org/zalando/nakadi/config/NakadiConfig.java b/src/main/java/org/zalando/nakadi/config/NakadiConfig.java
index c8aa3971a8..b2d420099f 100644
--- a/src/main/java/org/zalando/nakadi/config/NakadiConfig.java
+++ b/src/main/java/org/zalando/nakadi/config/NakadiConfig.java
@@ -2,23 +2,16 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
-import org.springframework.core.io.DefaultResourceLoader;
 import org.springframework.core.task.SimpleAsyncTaskExecutor;
 import org.springframework.core.task.TaskExecutor;
 import org.springframework.scheduling.annotation.EnableScheduling;
 import org.zalando.nakadi.domain.Storage;
-import org.zalando.nakadi.exceptions.runtime.DuplicatedStorageException;
 import org.zalando.nakadi.exceptions.InternalNakadiException;
-import org.zalando.nakadi.plugin.api.ApplicationService;
-import org.zalando.nakadi.plugin.api.ApplicationServiceFactory;
-import org.zalando.nakadi.plugin.api.SystemProperties;
+import org.zalando.nakadi.exceptions.runtime.DuplicatedStorageException;
 import org.zalando.nakadi.repository.db.StorageDbRepository;
 import org.zalando.nakadi.repository.zookeeper.ZooKeeperHolder;
 import org.zalando.nakadi.repository.zookeeper.ZooKeeperLockFactory;
@@ -39,27 +32,6 @@ public ZooKeeperLockFactory zooKeeperLockFactory(final ZooKeeperHolder zooKeeper
         return new ZooKeeperLockFactory(zooKeeperHolder);
     }
 
-    @Bean
-    public SystemProperties systemProperties(final ApplicationContext context) {
-        return name -> context.getEnvironment().getProperty(name);
-    }
-
-    @Bean
-    @SuppressWarnings("unchecked")
-    public ApplicationService applicationService(@Value("${nakadi.auth.plugin.factory}") final String factoryName,
-                                                 final SystemProperties systemProperties,
-                                                 final DefaultResourceLoader loader) {
-        try {
-            LOGGER.info("Initialize application service factory: " + factoryName);
-            final Class<ApplicationServiceFactory> factoryClass =
-                    (Class<ApplicationServiceFactory>) loader.getClassLoader().loadClass(factoryName);
-            final ApplicationServiceFactory factory = factoryClass.newInstance();
-            return factory.init(systemProperties);
-        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
-            throw new BeanCreationException("Can't create ApplicationService " + factoryName, e);
-        }
-    }
-
     @Bean
     @Qualifier("default_storage")
     public Storage defaultStorage(final StorageDbRepository storageDbRepository,
diff --git a/src/main/java/org/zalando/nakadi/config/PluginsConfig.java b/src/main/java/org/zalando/nakadi/config/PluginsConfig.java
new file mode 100644
index 0000000000..d36bce176b
--- /dev/null
+++ b/src/main/java/org/zalando/nakadi/config/PluginsConfig.java
@@ -0,0 +1,57 @@
+package org.zalando.nakadi.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.BeanCreationException;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.zalando.nakadi.plugin.api.ApplicationService;
+import org.zalando.nakadi.plugin.api.ApplicationServiceFactory;
+import org.zalando.nakadi.plugin.api.SystemProperties;
+import org.zalando.nakadi.plugin.api.authz.AuthorizationService;
+import org.zalando.nakadi.plugin.api.authz.AuthorizationServiceFactory;
+
+@Configuration
+public class PluginsConfig {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(PluginsConfig.class);
+
+    @Bean
+    public SystemProperties systemProperties(final ApplicationContext context) {
+        return name -> context.getEnvironment().getProperty(name);
+    }
+
+    @Bean
+    @SuppressWarnings("unchecked")
+    public ApplicationService applicationService(@Value("${nakadi.plugins.auth.factory}") final String factoryName,
+                                                 final SystemProperties systemProperties,
+                                                 final DefaultResourceLoader loader) {
+        try {
+            LOGGER.info("Initialize application service factory: " + factoryName);
+            final Class<ApplicationServiceFactory> factoryClass =
+                    (Class<ApplicationServiceFactory>) loader.getClassLoader().loadClass(factoryName);
+            final ApplicationServiceFactory factory = factoryClass.newInstance();
+            return factory.init(systemProperties);
+        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
+            throw new BeanCreationException("Can't create ApplicationService " + factoryName, e);
+        }
+    }
+
+    @Bean
+    public AuthorizationService authorizationService(@Value("${nakadi.plugins.authz.factory}") final String factoryName,
+                                                     final SystemProperties systemProperties,
+                                                     final DefaultResourceLoader loader) {
+        try {
+            LOGGER.info("Initialize per-resource authorization service factory: " + factoryName);
+            final Class<AuthorizationServiceFactory> factoryClass =
+                    (Class<AuthorizationServiceFactory>) loader.getClassLoader().loadClass(factoryName);
+            final AuthorizationServiceFactory factory = factoryClass.newInstance();
+            return factory.init(systemProperties);
+        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
+            throw new BeanCreationException("Can't create AuthorizationService " + factoryName, e);
+        }
+    }
+}
diff --git a/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationService.java b/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationService.java
new file mode 100644
index 0000000000..3b5533430f
--- /dev/null
+++ b/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationService.java
@@ -0,0 +1,19 @@
+package org.zalando.nakadi.plugin.auth;
+
+import org.zalando.nakadi.plugin.api.authz.AuthorizationAttribute;
+import org.zalando.nakadi.plugin.api.authz.AuthorizationService;
+import org.zalando.nakadi.plugin.api.authz.Resource;
+import org.zalando.nakadi.plugin.api.authz.Subject;
+
+public class DefaultAuthorizationService implements AuthorizationService {
+
+    @Override
+    public boolean isAuthorized(final Subject subject, final Operation operation, final Resource resource) {
+        return true;
+    }
+
+    @Override
+    public boolean isAuthorizationAttributeValid(final AuthorizationAttribute authorizationAttribute) {
+        return true;
+    }
+}
diff --git a/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationServiceFactory.java b/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationServiceFactory.java
new file mode 100644
index 0000000000..9119ad199b
--- /dev/null
+++ b/src/main/java/org/zalando/nakadi/plugin/auth/DefaultAuthorizationServiceFactory.java
@@ -0,0 +1,13 @@
+package org.zalando.nakadi.plugin.auth;
+
+import org.zalando.nakadi.plugin.api.SystemProperties;
+import org.zalando.nakadi.plugin.api.authz.AuthorizationService;
+import org.zalando.nakadi.plugin.api.authz.AuthorizationServiceFactory;
+
+public class DefaultAuthorizationServiceFactory implements AuthorizationServiceFactory {
+
+    @Override
+    public AuthorizationService init(final SystemProperties systemProperties) {
+        return new DefaultAuthorizationService();
+    }
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index c66fb7d33b..2a2eb651a1 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -78,9 +78,11 @@ nakadi:
       eventTypeWrite: nakadi.event_type.write
       eventStreamRead: nakadi.event_stream.read
       eventStreamWrite: nakadi.event_stream.write
-  auth:
-    plugin:
+  plugins:
+    auth:
       factory: org.zalando.nakadi.plugin.auth.DefaultApplicationServiceFactory
+    authz:
+      factory: org.zalando.nakadi.plugin.auth.DefaultAuthorizationServiceFactory
   event.max.bytes: 999000
   timeline.wait.timeoutMs: 40000
   subscription: