diff --git a/jon/auth.py b/jon/auth.py
index 7bf3885..ec97056 100644
--- a/jon/auth.py
+++ b/jon/auth.py
@@ -1,7 +1,7 @@
 import random
 import string
 
-from flask import Blueprint, make_response, request, redirect, session
+from flask import Blueprint, request, redirect, render_template, session
 
 bp = Blueprint("auth", __name__, url_prefix="/auth")
 
@@ -9,22 +9,17 @@ bp = Blueprint("auth", __name__, url_prefix="/auth")
 ACCESS_TOKEN = "".join(random.choice(string.ascii_lowercase) for i in range(64))
 
 
-ERROR_TEXT =  """
-              For security-reasons we must make sure you are the person who executed jon :D <br />
-              <form action="" method="get">
-                  <input type="password" name="token" placeholder="Token" />
-                  <input type="submit" value="login" />
-              </form>
-              <hr />
-
-              """
+ALLOWED_PATHS = [
+    "/favicon.ico",
+    "/static/jon.css"
+]
 
 
 def before_request():
     """
     If the correct token query parameter is passed along with any request,
     we mark this session authenticated by setting `session["authenticated"]`.
-    Unless the session is authenticated, all requests results in a 403 FORBIDDEN.
+    Unless the session is authenticated, all requests result in a 403 FORBIDDEN.
     """
     if "token" in request.args:
         if request.args["token"] == ACCESS_TOKEN:
@@ -32,8 +27,12 @@ def before_request():
         # Reload the page without query parameters
         return redirect(request.path)
 
+    # Don't deny any paths in `ALLOWED_PATHS`
+    if request.path in ALLOWED_PATHS:
+        return
+
     if not "authenticated" in session:
-        return ERROR_TEXT, 403
+        return render_template("auth/denied.html"), 403
 
 
 @bp.get("/logout")
diff --git a/jon/static/jon.css b/jon/static/jon.css
new file mode 100644
index 0000000..9897996
--- /dev/null
+++ b/jon/static/jon.css
@@ -0,0 +1,65 @@
+html {
+  font-family: Helvetica, sans-serif;
+}
+h1 {
+  margin: 0;
+}
+nav > ul {
+  padding-left: 0;
+}
+nav > ul > li {
+  display: inline-block;
+  list-style: none;
+}
+nav > ul > li + li:before {
+  content: ' · ';
+}
+.current-page > a {
+  position: relative;
+}
+.current-page > a:after {
+  content: '↓';
+  font-size: 0.8em;
+  box-sizing: border-box;
+  position: absolute;
+  display: block;
+  right: 50%;
+  top: -1em;
+  width: 1em;
+  text-align: center;
+  margin-right: -0.5em;
+  animation: wiggle 0.8s ease-in-out 0s infinite;
+  /* animation-direction: alternate; */
+}
+.--align-left {
+  text-align: left;
+}
+.--align-right {
+  text-align: right;
+}
+.--centered {
+  text-align: center;
+}
+@keyframes wiggle {
+  0%, 100% { margin-top: 0; }
+  50% { margin-top: -0.5em; }
+  /* 100% { transform: rotate(1turn); } */
+}
+table {
+  border-spacing: .5em 0;
+}
+th {
+  font-size: .8em;
+}
+@media print {
+  body {
+    font-size: 8px;
+  }
+}
+.form-input > label {
+  font-size: .8em;
+}
+.form-input > input:not([type=radio]),
+.form-input > select {
+  display: block;
+}
diff --git a/jon/templates/auth/denied.html b/jon/templates/auth/denied.html
new file mode 100644
index 0000000..1122b1b
--- /dev/null
+++ b/jon/templates/auth/denied.html
@@ -0,0 +1,36 @@
+
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>jon · not authenticated</title>
+    <link rel="stylesheet" href="/static/jon.css">
+  </head>
+  <body>
+    <header>
+      <h1>jon</h1>
+
+      {% if config.DEBUG %}
+      <details>
+        <summary><code>config</code></summary>
+        <pre>{% for key, value in config.items() %}{{ key }} = {{ value }}
+{% endfor %}</pre>
+      </details>
+      {% endif %}
+    </header>
+
+    <main>
+      <p>
+        Damit kein Schabernack getrieben wird müssen wir sicherstellen, dass du die Person bist die jon ausgeführt hat.
+        Gib unten das Token ein, welches jon beim Starten ausgegeben hat.
+      </p>
+      <form method="GET">
+        <div class="form-input">
+          <label for="token">Token</label>
+          <input type="password" name="token" placeholder="Token" id="token">
+        </div>
+        <button type="submit">Authentifizieren</button>
+      </form>
+    </main>
+  </body>
+</html>
diff --git a/jon/templates/base.html b/jon/templates/base.html
index 07b30b8..c4af7be 100644
--- a/jon/templates/base.html
+++ b/jon/templates/base.html
@@ -3,73 +3,7 @@
   <head>
     <meta charset="UTF-8">
     <title>jon</title>
-    <style>
-      html {
-        font-family: Helvetica, sans-serif;
-      }
-      h1 {
-        margin: 0;
-      }
-      nav > ul {
-        padding-left: 0;
-      }
-      nav > ul > li {
-        display: inline-block;
-        list-style: none;
-      }
-      nav > ul > li + li:before {
-        content: ' · ';
-      }
-      .current-page > a {
-        position: relative;
-      }
-      .current-page > a:after {
-        content: '↓';
-        font-size: 0.8em;
-        box-sizing: border-box;
-        position: absolute;
-        display: block;
-        right: 50%;
-        top: -1em;
-        width: 1em;
-        text-align: center;
-        margin-right: -0.5em;
-        animation: wiggle 0.8s ease-in-out 0s infinite;
-        /* animation-direction: alternate; */
-      }
-      .--align-left {
-        text-align: left;
-      }
-      .--align-right {
-        text-align: right;
-      }
-      .--centered {
-        text-align: center;
-      }
-      @keyframes wiggle {
-        0%, 100% { margin-top: 0; }
-        50% { margin-top: -0.5em; }
-        /* 100% { transform: rotate(1turn); } */
-      }
-      table {
-        border-spacing: .5em 0;
-      }
-      th {
-        font-size: .8em;
-      }
-      @media print {
-        body {
-          font-size: 8px;
-        }
-      }
-      .form-input > label {
-        font-size: .8em;
-      }
-      .form-input > input:not([type=radio]),
-      .form-input > select {
-        display: block;
-      }
-    </style>
+    <link rel="stylesheet" href="/static/jon.css">
   </head>
   <body>
     <header>