diff --git a/app.js b/app.js
index deb5d6d..2f2f3a8 100644
--- a/app.js
+++ b/app.js
@@ -20,12 +20,12 @@ const passport = require('./config/passport');
 
 app.use(passport.initialize());
 
-app.use('/users', require('./routes/users'));
+app.use('/api/users', require('./routes/users'));
 
 const auth = require('./routes/auth');
 
-app.use('/lists', auth.required, require('./routes/lists'));
-app.use('/todos', auth.required, require('./routes/todos'));
+app.use('/api/lists', auth.required, require('./routes/lists'));
+app.use('/api/todos', auth.required, require('./routes/todos'));
 
 // 404 route
 app.use((req, res) => {
diff --git a/tests/integration/lists.test.js b/tests/integration/lists.test.js
index 84a0d27..1e89a4f 100644
--- a/tests/integration/lists.test.js
+++ b/tests/integration/lists.test.js
@@ -42,7 +42,7 @@ afterAll(async () => {
 describe('test lists', () => {
   test('should index lists', async () => {
     const response = await request(server)
-      .get('/lists')
+      .get('/api/lists')
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
@@ -53,13 +53,13 @@ describe('test lists', () => {
   });
   test('should not index lists without authentication', async () => {
     await request(server)
-      .get('/lists')
+      .get('/api/lists')
       .set('Accept', 'application/json')
       .expect(401);
   });
   test('should create list', async () => {
     const response = await request(server)
-      .post('/lists')
+      .post('/api/lists')
       .send({
         name: 'List2',
       })
@@ -75,7 +75,7 @@ describe('test lists', () => {
   });
   test('should not create list without authentication', async () => {
     await request(server)
-      .post('/lists')
+      .post('/api/lists')
       .send({
         name: 'List2',
       })
@@ -85,7 +85,7 @@ describe('test lists', () => {
   });
   test('should update list', async () => {
     const response = await request(server)
-      .patch(`/lists/${list._id}`)
+      .patch(`/api/lists/${list._id}`)
       .send({
         name: 'List2',
       })
@@ -99,7 +99,7 @@ describe('test lists', () => {
   });
   test('should not update list without authentication', async () => {
     await request(server)
-      .patch(`/lists/${list._id}`)
+      .patch(`/api/lists/${list._id}`)
       .send({
         name: 'List2',
       })
@@ -110,7 +110,7 @@ describe('test lists', () => {
   });
   test('should remove list', async () => {
     const response = await request(server)
-      .delete(`/lists/${list._id}`)
+      .delete(`/api/lists/${list._id}`)
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
@@ -125,7 +125,7 @@ describe('test lists', () => {
   });
   test('should not remove list without authentication', async () => {
     await request(server)
-      .delete(`/lists/${list._id}`)
+      .delete(`/api/lists/${list._id}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
       .expect(401);
diff --git a/tests/integration/todos.test.js b/tests/integration/todos.test.js
index 41b7428..e8a910a 100644
--- a/tests/integration/todos.test.js
+++ b/tests/integration/todos.test.js
@@ -42,7 +42,7 @@ afterAll(async () => {
 describe('test todos', () => {
   test('should index todos', async () => {
     const response = await request(server)
-      .get(`/lists/${list._id}/todos`)
+      .get(`/api/lists/${list._id}/todos`)
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
@@ -53,13 +53,13 @@ describe('test todos', () => {
   });
   test('should not index todos without authentication', async () => {
     await request(server)
-      .get(`/lists/${list._id}/todos`)
+      .get(`/api/lists/${list._id}/todos`)
       .set('Accept', 'application/json')
       .expect(401);
   });
   test('should create todo', async () => {
     const response = await request(server)
-      .post(`/lists/${list._id}/todos`)
+      .post(`/api/lists/${list._id}/todos`)
       .send({
         text: 'Todo2',
       })
@@ -77,7 +77,7 @@ describe('test todos', () => {
   });
   test('should not create todo without authentication', async () => {
     await request(server)
-      .post(`/lists/${list._id}/todos`)
+      .post(`/api/lists/${list._id}/todos`)
       .send({
         text: 'Todo1',
       })
@@ -87,7 +87,7 @@ describe('test todos', () => {
   });
   test('should update todo', async () => {
     const response = await request(server)
-      .patch(`/lists/${list._id}/todos/${todo._id}`)
+      .patch(`/api/lists/${list._id}/todos/${todo._id}`)
       .send({
         text: 'Todo2',
       })
@@ -102,7 +102,7 @@ describe('test todos', () => {
   });
   test('should not update todo without authentication', async () => {
     await request(server)
-      .patch(`/lists/${list._id}/todos/${todo._id}`)
+      .patch(`/api/lists/${list._id}/todos/${todo._id}`)
       .send({
         text: 'Todo2',
       })
@@ -114,7 +114,7 @@ describe('test todos', () => {
   });
   test('should remove todo', async () => {
     const response = await request(server)
-      .delete(`/lists/${list._id}/todos/${todo._id}`)
+      .delete(`/api/lists/${list._id}/todos/${todo._id}`)
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
@@ -129,7 +129,7 @@ describe('test todos', () => {
   });
   test('should not remove todo without authentication', async () => {
     await request(server)
-      .delete(`/lists/${list._id}/todos/${todo._id}`)
+      .delete(`/api/lists/${list._id}/todos/${todo._id}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
       .expect(401);
diff --git a/tests/integration/users.test.js b/tests/integration/users.test.js
index 2295afa..6bd7edd 100644
--- a/tests/integration/users.test.js
+++ b/tests/integration/users.test.js
@@ -40,7 +40,7 @@ afterAll(async () => {
 describe('test users', () => {
   test('should get user', async () => {
     const response = await request(server)
-      .get('/users/user')
+      .get('/api/users/user')
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
@@ -52,7 +52,7 @@ describe('test users', () => {
   });
   test('should create user', async () => {
     const response = await request(server)
-      .post('/users')
+      .post('/api/users')
       .send({
         username: 'User2',
         password: 'password2',
@@ -69,7 +69,7 @@ describe('test users', () => {
   });
   test('should not create user with no username', async () => {
     const response = await request(server)
-      .post('/users')
+      .post('/api/users')
       .send({
         username: '',
         password: 'password2',
@@ -82,7 +82,7 @@ describe('test users', () => {
   });
   test('should not create user with no password', async () => {
     const response = await request(server)
-      .post('/users')
+      .post('/api/users')
       .send({
         username: 'User',
         password: '',
@@ -95,7 +95,7 @@ describe('test users', () => {
   });
   test('should login user', async () => {
     const response = await request(server)
-      .post('/users/login')
+      .post('/api/users/login')
       .send({
         username: 'User1',
         password: 'password1',
@@ -110,7 +110,7 @@ describe('test users', () => {
   });
   test('should not login user with no name', async () => {
     await request(server)
-      .post('/users/login')
+      .post('/api/users/login')
       .send({
         username: '',
         password: 'notpassword',
@@ -121,7 +121,7 @@ describe('test users', () => {
   });
   test('should not login user with wrong password', async () => {
     await request(server)
-      .post('/users/login')
+      .post('/api/users/login')
       .send({
         username: 'User',
         password: 'notpassword',
@@ -132,7 +132,7 @@ describe('test users', () => {
   });
   test('should update user', async () => {
     const response = await request(server)
-      .patch('/users/user')
+      .patch('/api/users/user')
       .send({
         username: 'User2',
         password: 'password2',
@@ -150,7 +150,7 @@ describe('test users', () => {
   });
   test('should not update user without authentication', async () => {
     const response = await request(server)
-      .patch('/users/user')
+      .patch('/api/users/user')
       .send({
         username: 'User2',
         password: 'password2',
@@ -162,7 +162,7 @@ describe('test users', () => {
   });
   test('should not delete user without authentication', async () => {
     const response = await request(server)
-      .delete('/users/user')
+      .delete('/api/users/user')
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')
       .expect(401);
@@ -173,7 +173,7 @@ describe('test users', () => {
   });
   test('should delete user', async () => {
     const response = await request(server)
-      .delete('/users/user')
+      .delete('/api/users/user')
       .set('Authorization', `Bearer ${token}`)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json')