diff --git a/js/admin-script.js b/js/admin-script.js
index 3f81553..8fd3ebc 100644
--- a/js/admin-script.js
+++ b/js/admin-script.js
@@ -137,7 +137,8 @@ jQuery( document ).ready(
 					{
 						pageLength: 25,
 						ajax: {
-							url: aaaOptionOptimizer.root + 'aaa-option-optimizer/v1/all-options/',
+							url: aaaOptionOptimizer.root + 'aaa-option-optimizer/v1/all-options',
+							headers: { 'X-WP-Nonce': aaaOptionOptimizer.nonce },
 							type: 'GET',
 							dataSrc: 'data',
 						},
diff --git a/src/class-rest.php b/src/class-rest.php
index 7ca679b..bfa8363 100644
--- a/src/class-rest.php
+++ b/src/class-rest.php
@@ -100,12 +100,12 @@ public function register_rest_routes() {
 
 		\register_rest_route(
 			'aaa-option-optimizer/v1',
-			'/all-options/',
+			'/all-options',
 			[
 				'methods'             => 'GET',
 				'callback'            => [ $this, 'get_all_options' ],
 				'permission_callback' => function () {
-					return true;
+					return current_user_can( 'manage_options' );
 				},
 			]
 		);