diff --git a/auth/auth.go b/auth/auth.go
index fee5792a2a..a2c601a0a1 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -31,20 +31,24 @@ type Auth interface {
 	Options() Options
 	// Generate a new account
 	Generate(id string, opts ...GenerateOption) (*Account, error)
-	// Verify an account has access to a resource using the rules
-	Verify(acc *Account, res *Resource, opts ...VerifyOption) error
 	// Inspect a token
 	Inspect(token string) (*Account, error)
 	// Token generated using refresh token or credentials
 	Token(opts ...TokenOption) (*Token, error)
+	// String returns the name of the implementation
+	String() string
+}
+
+// Rules manages access to resources
+type Rules interface {
+	// Verify an account has access to a resource using the rules
+	Verify(acc *Account, res *Resource, opts ...VerifyOption) error
 	// Grant access to a resource
 	Grant(rule *Rule) error
 	// Revoke access to a resource
 	Revoke(rule *Rule) error
-	// Rules returns all the rules used to verify requests
-	Rules(...RulesOption) ([]*Rule, error)
-	// String returns the name of the implementation
-	String() string
+	// List returns all the rules used to verify requests
+	List(...ListOption) ([]*Rule, error)
 }
 
 // Account provided by an auth provider
diff --git a/auth/default.go b/auth/default.go
index 9c05aad441..2c683c2625 100644
--- a/auth/default.go
+++ b/auth/default.go
@@ -20,10 +20,16 @@ func NewAuth(opts ...Option) Auth {
 	}
 }
 
+func NewRules() Rules {
+	return new(noopRules)
+}
+
 type noop struct {
 	opts Options
 }
 
+type noopRules struct{}
+
 // String returns the name of the implementation
 func (n *noop) String() string {
 	return "noop"
@@ -55,25 +61,25 @@ func (n *noop) Generate(id string, opts ...GenerateOption) (*Account, error) {
 }
 
 // Grant access to a resource
-func (n *noop) Grant(rule *Rule) error {
+func (n *noopRules) Grant(rule *Rule) error {
 	return nil
 }
 
 // Revoke access to a resource
-func (n *noop) Revoke(rule *Rule) error {
+func (n *noopRules) Revoke(rule *Rule) error {
 	return nil
 }
 
 // Rules used to verify requests
-func (n *noop) Rules(opts ...RulesOption) ([]*Rule, error) {
-	return []*Rule{}, nil
-}
-
 // Verify an account has access to a resource
-func (n *noop) Verify(acc *Account, res *Resource, opts ...VerifyOption) error {
+func (n *noopRules) Verify(acc *Account, res *Resource, opts ...VerifyOption) error {
 	return nil
 }
 
+func (n *noopRules) List(opts ...ListOption) ([]*Rule, error) {
+	return []*Rule{}, nil
+}
+
 // Inspect a token
 func (n *noop) Inspect(token string) (*Account, error) {
 	return &Account{ID: uuid.New().String(), Issuer: n.Options().Namespace}, nil
diff --git a/auth/jwt/jwt.go b/auth/jwt/jwt.go
index ea25089138..d031997991 100644
--- a/auth/jwt/jwt.go
+++ b/auth/jwt/jwt.go
@@ -16,12 +16,19 @@ func NewAuth(opts ...auth.Option) auth.Auth {
 	return j
 }
 
+func NewRules() auth.Rules {
+	return new(jwtRules)
+}
+
 type jwt struct {
+	sync.Mutex
 	options auth.Options
 	jwt     token.Provider
-	rules   []*auth.Rule
+}
 
+type jwtRules struct {
 	sync.Mutex
+	rules []*auth.Rule
 }
 
 func (j *jwt) String() string {
@@ -70,14 +77,14 @@ func (j *jwt) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
 	return account, nil
 }
 
-func (j *jwt) Grant(rule *auth.Rule) error {
+func (j *jwtRules) Grant(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()
 	j.rules = append(j.rules, rule)
 	return nil
 }
 
-func (j *jwt) Revoke(rule *auth.Rule) error {
+func (j *jwtRules) Revoke(rule *auth.Rule) error {
 	j.Lock()
 	defer j.Unlock()
 
@@ -92,7 +99,7 @@ func (j *jwt) Revoke(rule *auth.Rule) error {
 	return nil
 }
 
-func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
+func (j *jwtRules) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyOption) error {
 	j.Lock()
 	defer j.Unlock()
 
@@ -104,7 +111,7 @@ func (j *jwt) Verify(acc *auth.Account, res *auth.Resource, opts ...auth.VerifyO
 	return auth.Verify(j.rules, acc, res)
 }
 
-func (j *jwt) Rules(opts ...auth.RulesOption) ([]*auth.Rule, error) {
+func (j *jwtRules) List(opts ...auth.ListOption) ([]*auth.Rule, error) {
 	j.Lock()
 	defer j.Unlock()
 	return j.rules, nil
diff --git a/auth/options.go b/auth/options.go
index 5f0464daab..ef5f7b2882 100644
--- a/auth/options.go
+++ b/auth/options.go
@@ -219,14 +219,14 @@ func VerifyContext(ctx context.Context) VerifyOption {
 	}
 }
 
-type RulesOptions struct {
+type ListOptions struct {
 	Context context.Context
 }
 
-type RulesOption func(o *RulesOptions)
+type ListOption func(o *ListOptions)
 
-func RulesContext(ctx context.Context) RulesOption {
-	return func(o *RulesOptions) {
+func RulesContext(ctx context.Context) ListOption {
+	return func(o *ListOptions) {
 		o.Context = ctx
 	}
 }