diff --git a/.gitignore b/.gitignore
index bd22805a7885de0c8c804c57608e4bbdca174403..82c9a42b3bf60cc5dab922e3d366cedc9e80c05d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 *.toml
 .envrc
 .idea
+.tool-versions
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 83cf24ac189885ab2d3df94072cdbde37fbe9be5..c61d8c576880498299993a114126dd392a43e002 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM golang:1.21 AS builder
 WORKDIR /app
 COPY . .
-RUN CGO_ENABLED=0 go build -o glgo
+RUN CGO_ENABLED=0 go build -o glgo ./cmd/service/
 
 FROM alpine:3.18.5
 WORKDIR /app
diff --git a/main.go b/cmd/service/main.go
similarity index 94%
rename from main.go
rename to cmd/service/main.go
index 937e72655fa6387add71e5baf9e81a28ac70bd54..99de65e9e2c275bfb702053e2fa2b6114e8cede9 100644
--- a/main.go
+++ b/cmd/service/main.go
@@ -5,8 +5,8 @@ import (
 	"log/slog"
 	"os"
 
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/identity"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/service"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/identity"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/service"
 )
 
 func main() {
diff --git a/gcp/artifactregistry/artifactregistry.go b/internal/gcp/artifactregistry/artifactregistry.go
similarity index 100%
rename from gcp/artifactregistry/artifactregistry.go
rename to internal/gcp/artifactregistry/artifactregistry.go
diff --git a/gcp/artifactregistry/doc.go b/internal/gcp/artifactregistry/doc.go
similarity index 100%
rename from gcp/artifactregistry/doc.go
rename to internal/gcp/artifactregistry/doc.go
diff --git a/gcp/artifactregistry/docker.go b/internal/gcp/artifactregistry/docker.go
similarity index 100%
rename from gcp/artifactregistry/docker.go
rename to internal/gcp/artifactregistry/docker.go
diff --git a/gcp/artifactregistry/http.go b/internal/gcp/artifactregistry/http.go
similarity index 97%
rename from gcp/artifactregistry/http.go
rename to internal/gcp/artifactregistry/http.go
index 359aa563ed6857b1fd6304303a116eb5a1a8180d..4da0614da0b49665d64449397b6edcdce9822bb0 100644
--- a/gcp/artifactregistry/http.go
+++ b/internal/gcp/artifactregistry/http.go
@@ -7,8 +7,8 @@ import (
 	"net/http"
 	"strconv"
 
-	utils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/context"
-	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/http"
+	utils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/context"
+	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/http"
 
 	"github.com/gorilla/mux"
 	"golang.org/x/oauth2"
diff --git a/gcp/doc.go b/internal/gcp/doc.go
similarity index 100%
rename from gcp/doc.go
rename to internal/gcp/doc.go
diff --git a/gcp/gateway.go b/internal/gcp/gateway.go
similarity index 97%
rename from gcp/gateway.go
rename to internal/gcp/gateway.go
index 8c00c2b53d01bfe3b50f6ec9e020349d8be8fa5c..bf37908db826fa9a0c66c78570c4b35781d56549 100644
--- a/gcp/gateway.go
+++ b/internal/gcp/gateway.go
@@ -11,10 +11,10 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/identity"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/token"
 	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/identity"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/token"
-	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/http"
+	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/http"
 )
 
 const (
diff --git a/gcp/gateway_test.go b/internal/gcp/gateway_test.go
similarity index 99%
rename from gcp/gateway_test.go
rename to internal/gcp/gateway_test.go
index a34ccbf573f6613d5ef45a9d13308c45ee0bebcb..664153163c7868e6c7b7d1022189fd5d0a597a76 100644
--- a/gcp/gateway_test.go
+++ b/internal/gcp/gateway_test.go
@@ -20,10 +20,10 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/stretchr/testify/require"
 
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/identity"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/token"
 	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/testutil"
 	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/identity"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/token"
 )
 
 func TestTokenExchangeGateway(t *testing.T) {
diff --git a/gcp/http.go b/internal/gcp/http.go
similarity index 90%
rename from gcp/http.go
rename to internal/gcp/http.go
index fc9fa11fe323b4b244cfa8567931970ab0552b9b..845d59757c60437da34c8914ff9fadd1fcccdb6d 100644
--- a/gcp/http.go
+++ b/internal/gcp/http.go
@@ -1,8 +1,8 @@
 package gcp
 
 import (
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/gcp/artifactregistry"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/middleware"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/gcp/artifactregistry"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/middleware"
 
 	"github.com/gorilla/mux"
 )
diff --git a/oidc/identity/discovery.go b/internal/oidc/identity/discovery.go
similarity index 100%
rename from oidc/identity/discovery.go
rename to internal/oidc/identity/discovery.go
diff --git a/oidc/identity/key.go b/internal/oidc/identity/key.go
similarity index 100%
rename from oidc/identity/key.go
rename to internal/oidc/identity/key.go
diff --git a/oidc/identity/key_test.go b/internal/oidc/identity/key_test.go
similarity index 100%
rename from oidc/identity/key_test.go
rename to internal/oidc/identity/key_test.go
diff --git a/oidc/identity/keyring.go b/internal/oidc/identity/keyring.go
similarity index 100%
rename from oidc/identity/keyring.go
rename to internal/oidc/identity/keyring.go
diff --git a/oidc/identity/keyring_test.go b/internal/oidc/identity/keyring_test.go
similarity index 100%
rename from oidc/identity/keyring_test.go
rename to internal/oidc/identity/keyring_test.go
diff --git a/oidc/identity/provider.go b/internal/oidc/identity/provider.go
similarity index 100%
rename from oidc/identity/provider.go
rename to internal/oidc/identity/provider.go
diff --git a/oidc/identity/provider_test.go b/internal/oidc/identity/provider_test.go
similarity index 100%
rename from oidc/identity/provider_test.go
rename to internal/oidc/identity/provider_test.go
diff --git a/oidc/identity/testdata/gitlab_discovery_keys.json b/internal/oidc/identity/testdata/gitlab_discovery_keys.json
similarity index 100%
rename from oidc/identity/testdata/gitlab_discovery_keys.json
rename to internal/oidc/identity/testdata/gitlab_discovery_keys.json
diff --git a/oidc/identity/testdata/identity_key.pem b/internal/oidc/identity/testdata/identity_key.pem
similarity index 100%
rename from oidc/identity/testdata/identity_key.pem
rename to internal/oidc/identity/testdata/identity_key.pem
diff --git a/oidc/token/claims.go b/internal/oidc/token/claims.go
similarity index 100%
rename from oidc/token/claims.go
rename to internal/oidc/token/claims.go
diff --git a/oidc/token/claims_test.go b/internal/oidc/token/claims_test.go
similarity index 99%
rename from oidc/token/claims_test.go
rename to internal/oidc/token/claims_test.go
index 2d9bc9792d04b730e69a23746db9c73d1323e2b9..67b33b4cb92b5f8bd97f50efb98cf3b6b996707f 100644
--- a/oidc/token/claims_test.go
+++ b/internal/oidc/token/claims_test.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/token"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/token"
 )
 
 func TestGitlabClaims_CloudClaims(t *testing.T) {
diff --git a/oidc/token/token.go b/internal/oidc/token/token.go
similarity index 100%
rename from oidc/token/token.go
rename to internal/oidc/token/token.go
diff --git a/oidc/token/token_test.go b/internal/oidc/token/token_test.go
similarity index 98%
rename from oidc/token/token_test.go
rename to internal/oidc/token/token_test.go
index 245c38692f5250d11584464b57197dec4b3e6b46..416a5d654b07639010709cda6836179e24f1a134 100644
--- a/oidc/token/token_test.go
+++ b/internal/oidc/token/token_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/stretchr/testify/require"
 
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/token"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/token"
 )
 
 func newRawToken(_ *testing.T) token.Token {
diff --git a/service/service.go b/internal/service/service.go
similarity index 97%
rename from service/service.go
rename to internal/service/service.go
index c301dd38bb81c4c778f3018772803567af910da4..0fb711901c523dfad3932ff3a98d642ef371e6de 100644
--- a/service/service.go
+++ b/internal/service/service.go
@@ -8,8 +8,8 @@ import (
 	"github.com/gorilla/mux"
 	"gitlab.com/gitlab-org/labkit/log"
 
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/gcp"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/identity"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/gcp"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/identity"
 )
 
 type Service struct {
diff --git a/service/service_test.go b/internal/service/service_test.go
similarity index 97%
rename from service/service_test.go
rename to internal/service/service_test.go
index ae367d8b3ea6a211f217c2a8c4765b2b7919e67e..b7e16a6e60f5946b454ea4703846c75550a0d64c 100644
--- a/service/service_test.go
+++ b/internal/service/service_test.go
@@ -11,8 +11,8 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/stretchr/testify/require"
 
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/identity"
 	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/testutil"
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/identity"
 )
 
 func TestHealthCheck(t *testing.T) {
diff --git a/service/testdata/identity_key.pem b/internal/service/testdata/identity_key.pem
similarity index 100%
rename from service/testdata/identity_key.pem
rename to internal/service/testdata/identity_key.pem
diff --git a/pkg/utils/context/context.go b/internal/utils/context/context.go
similarity index 100%
rename from pkg/utils/context/context.go
rename to internal/utils/context/context.go
diff --git a/pkg/utils/http/http.go b/internal/utils/http/http.go
similarity index 100%
rename from pkg/utils/http/http.go
rename to internal/utils/http/http.go
diff --git a/pkg/utils/middleware/bearer.go b/internal/utils/middleware/bearer.go
similarity index 97%
rename from pkg/utils/middleware/bearer.go
rename to internal/utils/middleware/bearer.go
index 6e0633538eda1ad6e445168ba7e7cd8a60f2c0ca..54ed673ffdff63dabe2cba9219b8d1d6946576d1 100644
--- a/pkg/utils/middleware/bearer.go
+++ b/internal/utils/middleware/bearer.go
@@ -6,9 +6,9 @@ import (
 	"net/http"
 	"strings"
 
-	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/oidc/token"
-	ctxutils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/context"
-	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/pkg/utils/http"
+	"gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/oidc/token"
+	ctxutils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/context"
+	httputils "gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/internal/utils/http"
 
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"google.golang.org/api/option"
diff --git a/pkg/utils/middleware/response.go b/internal/utils/middleware/response.go
similarity index 100%
rename from pkg/utils/middleware/response.go
rename to internal/utils/middleware/response.go