diff --git a/src/routes.js b/src/routes.js
index 73222778..2188357a 100644
--- a/src/routes.js
+++ b/src/routes.js
@@ -257,8 +257,14 @@ module.exports = async (
       }
 
       const decryptedKey = Encryption.decryptKey({ deviceId, message: req.body.encryptionKey });
-      const decryptedMessage = Encryption.decryptMessage({ message: req.body.data, key: decryptedKey, iv: req.body.iv })
+      const decryptedMessage = Encryption.decryptMessage({ message: req.body.data, key: decryptedKey, iv: req.body.iv });
+      const decryptedToken = req.body.token ? Encryption.decryptMessage({ message: req.body.token, key: decryptedKey, iv: req.body.iv }) : null;
       req.body = JSON.parse(decryptedMessage);
+
+      if (decryptedToken) {
+        req.headers.authorization = decryptedToken;
+      }
+
       return next();
     } catch (err) {
       logger.error(err);
@@ -270,6 +276,37 @@ module.exports = async (
     }
   })
 
+  app.use(async (req, res, next) => {
+    logger.info('Route:', req.path)
+    if (unprotectedRoutes[req.method][req.path]) {
+      next()
+    } else {
+      try {
+        const response = await auth.validateToken(
+          req.headers.authorization.replace('Bearer ', '')
+        )
+        if (response.valid) {
+          next()
+        } else {
+          res.status(401).json({
+            field: 'authorization',
+            errorMessage:
+              "The authorization token you've supplied is invalid"
+          })
+        }
+      } catch (err) {
+        logger.error(
+          !req.headers.authorization
+            ? 'Please add an Authorization header'
+            : err
+        )
+        res
+          .status(401)
+          .json({ field: 'authorization', errorMessage: 'Please log in' })
+      }
+    }
+  })
+
   app.use(async (req, res, next) => {
     try {
       logger.info("Route:", req.path)
diff --git a/src/server.js b/src/server.js
index 20b4b3c7..e5a4d63e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -163,37 +163,6 @@ const server = program => {
 
       app.use(compression())
 
-      app.use(async (req, res, next) => {
-        logger.info('Route:', req.path)
-        if (unprotectedRoutes[req.method][req.path]) {
-          next()
-        } else {
-          try {
-            const response = await auth.validateToken(
-              req.headers.authorization.replace('Bearer ', '')
-            )
-            if (response.valid) {
-              next()
-            } else {
-              res.status(401).json({
-                field: 'authorization',
-                errorMessage:
-                  "The authorization token you've supplied is invalid"
-              })
-            }
-          } catch (err) {
-            logger.error(
-              !req.headers.authorization
-                ? 'Please add an Authorization header'
-                : err
-            )
-            res
-              .status(401)
-              .json({ field: 'authorization', errorMessage: 'Please log in' })
-          }
-        }
-      })
-
       app.use((req, res, next) => {
         if (sensitiveRoutes[req.method][req.path]) {
           logger.info(