Make separation between routes

I have simple app, with 2 routes.
I created a system , that the customer for entering to app, have to pass in nginx(reverse-nginx),
that forward to keycloak, and if he passed keycloak- the nginx forward him to the app.
I succeeded to lock all my app ,unless he has permission to get in.
But now, I want to divide my routes in the app.
To give for customer permission for one route and not to the other.
my question is , if my changes need to be made on my application, or can I do that in keycloak so that to one route he can get in , and not to the other.
I will note that all my data traffic, requests, go through nginx.
second thing, I need minimal protection on my route, becouse its in internal network.
so, is there a way? or I need to make changes in my app too?