diff --git a/src/routes/test/apps-test.js b/src/routes/test/apps-test.js
index d58005dcf..b1ad3c4d3 100644
--- a/src/routes/test/apps-test.js
+++ b/src/routes/test/apps-test.js
@@ -736,7 +736,6 @@ xdescribe('App API', function () {
         ///////////// icon
         it('fails for no icon', function (done) {
             superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/icon')
-                .query({ access_token: token })
                 .end(function (err, res) {
                     expect(res.statusCode).to.equal(400);
                     done();
@@ -745,7 +744,6 @@ xdescribe('App API', function () {
 
         it('fails for invalid icon', function (done) {
             superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure/icon')
-                .query({ access_token: token })
                 .send({ icon: 'something non base64' })
                 .end(function (err, res) {
                     expect(res.statusCode).to.equal(400);
@@ -765,7 +763,6 @@ xdescribe('App API', function () {
 
         it('did set the icon', function (done) {
             superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/icon')
-                .query({ access_token: token })
                 .end(function (err, res) {
                     expect(res.statusCode).to.equal(200); // response is some PNG
                     done();
diff --git a/src/server.js b/src/server.js
index 806edf26a..d93d6d0e8 100644
--- a/src/server.js
+++ b/src/server.js
@@ -215,7 +215,7 @@ async function initializeExpressSync() {
     router.post('/api/v1/apps/install',                          json, token,                   authorizeAdmin,    routes.apps.install);
     router.get ('/api/v1/apps',                                        token,                   authorizeUser,     routes.apps.listByUser);
     router.get ('/api/v1/apps/:id',                                    token, routes.apps.load, authorizeOperator, routes.apps.getApp);
-    router.get ('/api/v1/apps/:id/icon',                               token, routes.apps.load, authorizeUser,  routes.apps.getAppIcon);
+    router.get ('/api/v1/apps/:id/icon',                                      routes.apps.load,                    routes.apps.getAppIcon);
     router.post('/api/v1/apps/:id/uninstall',                    json, token, routes.apps.load, authorizeAdmin, routes.apps.uninstall);
     router.post('/api/v1/apps/:id/configure/access_restriction', json, token, routes.apps.load, authorizeAdmin, routes.apps.setAccessRestriction);
     router.post('/api/v1/apps/:id/configure/operators',          json, token, routes.apps.load, authorizeAdmin, routes.apps.setOperators);