diff --git a/api.go b/api.go
index 75c1568..b80e52c 100644
--- a/api.go
+++ b/api.go
@@ -67,11 +67,6 @@ func (srv *RttyServer) ListenAPI() error {
 	}
 
 	authorized := r.Group("/", func(c *gin.Context) {
-		if !callUserHookUrl(cfg, c) {
-			c.AbortWithStatus(http.StatusForbidden)
-			return
-		}
-
 		if !cfg.LocalAuth && isLocalRequest(c) {
 			return
 		}
@@ -83,6 +78,11 @@ func (srv *RttyServer) ListenAPI() error {
 	})
 
 	authorized.GET("/connect/:devid", func(c *gin.Context) {
+		if !callUserHookUrl(cfg, c) {
+			c.Status(http.StatusForbidden)
+			return
+		}
+
 		if c.GetHeader("Upgrade") != "websocket" {
 			group := c.Query("group")
 			devid := c.Param("devid")
@@ -172,6 +172,11 @@ func (srv *RttyServer) ListenAPI() error {
 	})
 
 	authorized.POST("/cmd/:devid", func(c *gin.Context) {
+		if !callUserHookUrl(cfg, c) {
+			c.Status(http.StatusForbidden)
+			return
+		}
+
 		cmdInfo := &CommandReqInfo{}
 
 		err := c.BindJSON(&cmdInfo)
diff --git a/http.go b/http.go
index 31487c6..3298a93 100644
--- a/http.go
+++ b/http.go
@@ -224,6 +224,11 @@ func httpProxyRedirect(srv *RttyServer, c *gin.Context, group string) {
 	addr := c.Param("addr")
 	rawPath := c.Param("path")
 
+	if !callUserHookUrl(cfg, c) {
+		c.Status(http.StatusForbidden)
+		return
+	}
+
 	log.Debug().Msgf("httpProxyRedirect devid: %s, proto: %s, addr: %s, path: %s", devid, proto, addr, rawPath)
 
 	_, _, err := httpProxyVaildAddr(addr)
diff --git a/main.go b/main.go
index b4f4c51..4564fbf 100644
--- a/main.go
+++ b/main.go
@@ -104,7 +104,7 @@ func main() {
 			},
 			&cli.StringFlag{
 				Name:  "user-hook-url",
-				Usage: "called when the user accesses APIs",
+				Usage: "called when user accesses /connect/:devid, /cmd/:devid, /web/, or /web2/ APIs",
 			},
 			&cli.BoolFlag{
 				Name:  "local-auth",
diff --git a/rttys.conf b/rttys.conf
index 1f059b4..2c331d0 100644
--- a/rttys.conf
+++ b/rttys.conf
@@ -22,12 +22,12 @@
 # Return HTTP 200 to allow the device to connect
 #dev-hook-url: http://127.0.0.1:8080/rttys-dev-hook
 
-# User hook URL - called when users access APIs (if configured)
+# User hook URL - called when users access /connect/:devid, /cmd/:devid, /web/, or /web2/ APIs (if configured)
 # Rttys will pass all original headers, along with additional specific headers:
 # X-Rttys-Hook: true
 # X-Original-Method: original request method
 # X-Original-URL: original request URL
-# Return HTTP 200 to allow the user to access the API
+# Return HTTP 200 to allow the user to access the API endpoint
 #user-hook-url: http://127.0.0.1:8080/rttys-user-hook
 
 # Local access authentication (disable authentication for local requests)