User authentication via XSUAA in Kyma Environment

Hello,

I am using Kyma Environment momentarily only in my Trial Account so I can test it's features and implementations.

I deployed a dummy app so far. I would like to access this app only by authenticating an user via XSUAA but I really can't find a good example on how to do that. I have created an Authorization & Trust Management Instance (XSUAA) and I can successfully create a binding between the app and the XSUAA instance.

If I test the binding with the Postman using the bindings client id and client secret I can successfully "log in" and get the token, but later on I don't know how to "protect" my app so it won't be directly accesible without an authentication. So the binding is there, sucessfully created and working, but the app is still publicly available. Are there any settings to be made in "API Rules" segment? If I use "Allow" or "noop" my app is always accessible. What configuration should I make to achieve this?

Thanks for any help in advance.