diff --git a/src/servala/api/views.py b/src/servala/api/views.py
index b00c25e..7ca0d82 100644
--- a/src/servala/api/views.py
+++ b/src/servala/api/views.py
@@ -3,6 +3,7 @@ import logging
 from contextlib import suppress
 
 from django.conf import settings
+from django.contrib.auth.decorators import login_not_required
 from django.core.mail import send_mail
 from django.db import transaction
 from django.http import JsonResponse
@@ -10,6 +11,7 @@ from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 
+from servala.api.permissions import OSBBasicAuthPermission
 from servala.core.exoscale import get_exoscale_origin
 from servala.core.models import BillingEntity, Organization, User
 from servala.core.models.service import Plan, Service
@@ -18,7 +20,8 @@ logger = logging.getLogger(__name__)
 
 
 @method_decorator(csrf_exempt, name="dispatch")
-class OSBServiceInstanceView(View):
+@method_decorator(login_not_required, name="dispatch")
+class OSBServiceInstanceView(OSBBasicAuthPermission, View):
     """
     OSB API endpoint for service instance provisioning (onboarding).
     Implements the PUT /v2/service_instances/:instance_id endpoint.
@@ -29,7 +32,10 @@ class OSBServiceInstanceView(View):
         return JsonResponse({"error": error}, status=400)
 
     def _get_user(self, data):
-        email = data.get("email").strip().lower()
+        email = data.get("email", "").strip().lower()
+        if not email:
+            raise ValueError("Email address is required but missing or empty")
+
         full_name = data.get("full_name") or ""
         name_parts = full_name.split(" ", 1)
         first_name = name_parts[0] if name_parts else ""
@@ -58,7 +64,9 @@ class OSBServiceInstanceView(View):
             "organization_guid"
         )
         organization_name = context.get("organization_name")
-        organization_display_name = context.get("organization_display_name")
+        organization_display_name = context.get(
+            "organization_display_name", organization_name
+        )
         users = parameters.get("users", [])
         service_id = data.get("service_id")
         plan_id = data.get("plan_id")
@@ -83,7 +91,7 @@ class OSBServiceInstanceView(View):
 
         try:
             service = Service.objects.get(id=service_id)
-            plan = Plan.objects.get(id=plan_id, service=service)
+            plan = Plan.objects.get(id=plan_id, service_offering__service=service)
         except Service.DoesNotExist:
             return self._error(f"Unknown service_id: {service_id}")
         except Plan.DoesNotExist:
@@ -152,7 +160,7 @@ The Servala Team"""
         )
 
     def _send_service_welcome_email(self, request, organization, user, service, plan):
-        service_path = f"{organization.urls.services}{service.slug}/offering/{plan.service_offering_id}/"
+        service_path = f"{organization.urls.services}{service.slug}/offering/{plan.service_offering.id}/"
         service_url = request.build_absolute_uri(service_path)
 
         subject = f"Get started with {service.name} - {organization.name}"
diff --git a/src/servala/settings.py b/src/servala/settings.py
index 00f4f0f..eef44f2 100644
--- a/src/servala/settings.py
+++ b/src/servala/settings.py
@@ -168,7 +168,6 @@ INSTALLED_APPS = [
 
 MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
-    "servala.api.authentication.OSBBasicAuthentication",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",