diff --git a/java/google/registry/loadtest/BUILD b/java/google/registry/loadtest/BUILD
index 72168c62f..55254321d 100644
--- a/java/google/registry/loadtest/BUILD
+++ b/java/google/registry/loadtest/BUILD
@@ -11,6 +11,7 @@ java_library(
     deps = [
         "//java/google/registry/config",
         "//java/google/registry/request",
+        "//java/google/registry/request/auth",
         "//java/google/registry/security",
         "//java/google/registry/util",
         "//third_party/java/objectify:objectify-v4_1",
diff --git a/java/google/registry/loadtest/LoadTestAction.java b/java/google/registry/loadtest/LoadTestAction.java
index 7a0ecee9b..ae920ae01 100644
--- a/java/google/registry/loadtest/LoadTestAction.java
+++ b/java/google/registry/loadtest/LoadTestAction.java
@@ -33,6 +33,8 @@ import com.google.common.collect.Iterators;
 import google.registry.config.RegistryEnvironment;
 import google.registry.request.Action;
 import google.registry.request.Parameter;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.security.XsrfTokenManager;
 import google.registry.util.FormattingLogger;
 import google.registry.util.TaskEnqueuer;
@@ -47,15 +49,22 @@ import org.joda.time.DateTime;
  * Simple load test action that can generate configurable QPSes of various EPP actions.
  *
  * <p>All aspects of the load test are configured via URL parameters that are specified when the
- * loadtest URL is being POSTed to.  The {@code clientId} and {@code tld} parameters are required.
+ * loadtest URL is being POSTed to. The {@code clientId} and {@code tld} parameters are required.
  * All of the other parameters are optional, but if none are specified then no actual load testing
  * will be done since all of the different kinds of checks default to running zero per second. So at
  * least one must be specified in order for load testing to do anything.
  */
 @Action(
-    path = LoadTestAction.PATH,
-    method = Action.Method.POST,
-    automaticallyPrintOk = true)
+  path = LoadTestAction.PATH,
+  method = Action.Method.POST,
+  automaticallyPrintOk = true,
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class LoadTestAction implements Runnable {
 
   private static final FormattingLogger logger = getLoggerForCallerClass();
diff --git a/java/google/registry/tools/server/ResaveAllEppResourcesAction.java b/java/google/registry/tools/server/ResaveAllEppResourcesAction.java
index 68bd149e2..841329f47 100644
--- a/java/google/registry/tools/server/ResaveAllEppResourcesAction.java
+++ b/java/google/registry/tools/server/ResaveAllEppResourcesAction.java
@@ -26,6 +26,8 @@ import google.registry.mapreduce.inputs.EppResourceInputs;
 import google.registry.model.EppResource;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import javax.inject.Inject;
 
 /**
@@ -39,7 +41,15 @@ import javax.inject.Inject;
  * run internally, or by pretending to be internal by setting the X-AppEngine-QueueName header,
  * which only admin users can do.
  */
-@Action(path = "/_dr/task/resaveAllEppResources")
+@Action(
+  path = "/_dr/task/resaveAllEppResources",
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class ResaveAllEppResourcesAction implements Runnable {
 
   @Inject MapreduceRunner mrRunner;
diff --git a/java/google/registry/tools/server/javascrap/BUILD b/java/google/registry/tools/server/javascrap/BUILD
index 5cfd51119..f0d2ed064 100644
--- a/java/google/registry/tools/server/javascrap/BUILD
+++ b/java/google/registry/tools/server/javascrap/BUILD
@@ -13,6 +13,7 @@ java_library(
         "//java/google/registry/mapreduce/inputs",
         "//java/google/registry/model",
         "//java/google/registry/request",
+        "//java/google/registry/request/auth",
         "//java/google/registry/util",
         "//third_party/java/objectify:objectify-v4_1",
         "@com_google_appengine_api_1_0_sdk",
diff --git a/java/google/registry/tools/server/javascrap/RefreshAllDomainsAction.java b/java/google/registry/tools/server/javascrap/RefreshAllDomainsAction.java
index c11a50559..552969fd0 100644
--- a/java/google/registry/tools/server/javascrap/RefreshAllDomainsAction.java
+++ b/java/google/registry/tools/server/javascrap/RefreshAllDomainsAction.java
@@ -25,6 +25,8 @@ import google.registry.model.EppResourceUtils;
 import google.registry.model.domain.DomainResource;
 import google.registry.request.Action;
 import google.registry.request.Response;
+import google.registry.request.auth.Auth;
+import google.registry.request.auth.AuthLevel;
 import google.registry.util.FormattingLogger;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
@@ -37,7 +39,15 @@ import org.joda.time.DateTimeZone;
  * run internally, or by pretending to be internal by setting the X-AppEngine-QueueName header,
  * which only admin users can do.
  */
-@Action(path = "/_dr/task/refreshAllDomains")
+@Action(
+  path = "/_dr/task/refreshAllDomains",
+  auth =
+      @Auth(
+        methods = {Auth.AuthMethod.INTERNAL, Auth.AuthMethod.API},
+        minimumLevel = AuthLevel.APP,
+        userPolicy = Auth.UserPolicy.ADMIN
+      )
+)
 public class RefreshAllDomainsAction implements Runnable {
 
   private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
diff --git a/javatests/google/registry/module/tools/testdata/tools_routing.txt b/javatests/google/registry/module/tools/testdata/tools_routing.txt
index 31d9aa08b..ea107e752 100644
--- a/javatests/google/registry/module/tools/testdata/tools_routing.txt
+++ b/javatests/google/registry/module/tools/testdata/tools_routing.txt
@@ -11,11 +11,11 @@ PATH                            CLASS                       METHODS  OK XSRF SCO
 /_dr/admin/updatePremiumList    UpdatePremiumListAction     POST     n  n    app   n     INTERNAL,API APP ADMIN
 /_dr/admin/verifyOte            VerifyOteAction             POST     n  y    admin n     INTERNAL,API APP ADMIN
 /_dr/epptool                    EppToolAction               POST     n  y    admin n     INTERNAL,API APP ADMIN
-/_dr/loadtest                   LoadTestAction              POST     y  n    app   n     INTERNAL     APP IGNORED
+/_dr/loadtest                   LoadTestAction              POST     y  n    app   n     INTERNAL,API APP ADMIN
 /_dr/publishDetailReport        PublishDetailReportAction   POST     n  y    admin n     INTERNAL,API APP ADMIN
 /_dr/task/generateZoneFiles     GenerateZoneFilesAction     POST     n  n    app   n     INTERNAL,API APP ADMIN
 /_dr/task/killAllCommitLogs     KillAllCommitLogsAction     POST     n  n    app   n     INTERNAL     APP IGNORED
 /_dr/task/killAllEppResources   KillAllEppResourcesAction   POST     n  n    app   n     INTERNAL     APP IGNORED
-/_dr/task/refreshAllDomains     RefreshAllDomainsAction     GET      n  n    app   n     INTERNAL     APP IGNORED
-/_dr/task/resaveAllEppResources ResaveAllEppResourcesAction GET      n  n    app   n     INTERNAL     APP IGNORED
+/_dr/task/refreshAllDomains     RefreshAllDomainsAction     GET      n  n    app   n     INTERNAL,API APP ADMIN
+/_dr/task/resaveAllEppResources ResaveAllEppResourcesAction GET      n  n    app   n     INTERNAL,API APP ADMIN
 /_dr/task/restoreCommitLogs     RestoreCommitLogsAction     POST     y  n    app   n     INTERNAL,API APP ADMIN