diff --git a/migrations/20230204_user_public_private_paths.js b/migrations/20230204_user_public_private_paths.js
new file mode 100644
index 0000000000..d7c0e23df6
--- /dev/null
+++ b/migrations/20230204_user_public_private_paths.js
@@ -0,0 +1,56 @@
+db.users.find({}).forEach(function(user){
+
+    // New user schema has public and private paths, so we can setup proper access control with racer
+    // Note 'public' and 'private' are reserved words
+    var newUser = {
+        pub:{},
+        priv: {}
+    };
+
+    newUser.priv.lastCron = user.lastCron;
+    user.priv.balance = user.balance;
+    user.priv.tasks = user.tasks;
+
+    // ------------ Stats
+    // rename money to gp
+    user.stats.gp = user.stats.money;
+    delete user.stats.money;
+    newUser.pub.stats = user.stats;
+
+    // ------------ Party
+    newUser.pub.party = null;
+
+
+    // ------------ ID lists
+    newUser.priv.idLists = {habit:user.habitList, daily:user.dailyList, todo:user.todoList, reward:user.rewardList};
+
+
+    // ------------ Flags
+    newUser.priv.flags = user.flags || {};
+
+    user.priv.partyEnabled = false;
+
+    user.priv.flags.itemsEnabled = user.items.itemsEnabled;
+    delete user.items.itemsEnabled;
+
+    // Items
+    user.pub.items = user.items;
+
+    // kickstarter
+    if (!user.notifications || !user.notifications.kickstarter) user.notifications = {kickstarter:'show'}
+    newUser.priv.flags.kickstarter = user.notifications.kickstarter;
+
+    // Ads
+    newUser.priv.flags.ads = user.flags.ads;
+
+    // ------------ API Token
+    newUser.priv.apiToken = user.preferences.api_token;
+    delete user.preferences.api_token;
+
+    // ------------ Preferences
+    newUser.pub.preferences = user.preferences;
+
+
+
+    db.users.update({_id:user.id}, newUser, {multi:true});
+})
\ No newline at end of file
diff --git a/server.js b/server.js
index 83a79584d9..3a4edb0e0d 100644
--- a/server.js
+++ b/server.js
@@ -4,7 +4,7 @@ process.on('uncaughtException', function (exception) {
 });
 
 require('coffee-script') // remove intermediate compilation requirement
-require('./src/server').listen(process.env.PORT || 3000);
+require('./lib/server').listen(process.env.PORT || 3000);
 
 // Note: removed "up" module, which is default for development (but interferes with and production + PaaS)
 // Restore to 5310bb0 if I want it back (see https://github.com/codeparty/derby/issues/165#issuecomment-10405693)
diff --git a/src/app/schema.coffee b/src/app/schema.coffee
index d8f601cdb1..942c0002a8 100644
--- a/src/app/schema.coffee
+++ b/src/app/schema.coffee
@@ -5,48 +5,51 @@ lodash = require 'lodash'
 derby = require 'derby'
 
 userSchema =
-  lastCron: 'new' #this will be replaced with `+new Date` on first run
-  balance: 2
-  stats: { money: 0, exp: 0, lvl: 1, hp: 50 }
-  items: { itemsEnabled: false, armor: 0, weapon: 0 }
-  notifications: { kickstarter: 'show' }
-  preferences: { gender: 'm', armorSet: 'v1' }
-  flags: { partyEnabled: false }
-  party: []
-  tasks: {}
-  habitIds: []
-  dailyIds: []
-  todoIds: []
-  rewardIds: []
+  # _id
+  pub:
+    stats: { gp: 0, exp: 0, lvl: 1, hp: 50 }
+    # party: null
+    # TODO invitations
+    items: { armor: 0, weapon: 0 }
+    preferences: { gender: 'm', armorSet: 'v1' }
+  priv:
+    idLists:
+      habit: []
+      daily: []
+      todo: []
+      reward: []
+    apiToken: null # set in newUserObject below
+    lastCron: 'new' #this will be replaced with `+new Date` on first run
+    balance: 2
+    tasks: {}
+    flags:
+      partyEnabled: false
+      itemsEnabled: false
+      kickstarter: 'show'
+      # ads: 'show' # added on registration
 
 module.exports.newUserObject = ->
   # deep clone, else further new users get duplicate objects
   newUser = require('lodash').cloneDeep userSchema
+  newUser.priv.apiToken = derby.uuid()
   for task in content.defaultTasks
-    guid = task.id = require('racer').uuid()
+    guid = task.id = derby.uuid()
     newUser.tasks[guid] = task
     switch task.type
-      when 'habit' then newUser.habitIds.push guid
-      when 'daily' then newUser.dailyIds.push guid
-      when 'todo' then newUser.todoIds.push guid
-      when 'reward' then newUser.rewardIds.push guid
+      when 'habit' then newUser.priv.idLists.habit.push guid
+      when 'daily' then newUser.priv.idLists.daily.push guid
+      when 'todo' then newUser.priv.idLists.todo.push guid
+      when 'reward' then newUser.priv.idLists.reward.push guid
   return newUser
 
 module.exports.updateUser = (batch) ->
   user = batch.user
+  obj = user.batch.obj()
 
-  batch.set('notifications.kickstarter', 'show') unless user.get('notifications.kickstarter')
-  batch.set('party', []) unless !_.isEmpty(user.get('party'))
-
-  # Preferences, including API key
-  # Some side-stepping to avoid unecessary set (one day, model.update... one day..)
-  currentPrefs = _.clone user.get('preferences')
-  mergedPrefs = _.defaults currentPrefs, { gender: 'm', armorSet: 'v1', api_token: derby.uuid() }
-  batch.set('preferences', mergedPrefs)
+  batch.set('priv.apiToken', derby.uuid()) unless obj.priv.apiToken
 
   ## Task List Cleanup
   # FIXME temporary hack to fix lists (Need to figure out why these are happening)
-  # FIXME consolidate these all under user.listIds so we can set them en-masse
   tasks = user.get('tasks')
   _.each ['habit','daily','todo','reward'], (type) ->
     path = "#{type}Ids"