diff --git a/src/proxyauth.js b/src/proxyauth.js
index ad2c805ef..b8e7dee77 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -50,15 +50,23 @@ function jwtVerify(req, res, next) {
     });
 }
 
-async function basicAuthVerify(req, res, next) {
+async function authorizationHeader(req, res, next) {
     const appId = req.headers['x-app-id'] || '';
-    const credentials = basicAuth(req);
-    if (!appId || !credentials) return next();
+    if (!appId) return next();
+
+    if (!req.headers.authorization) return next();
 
     const [error, app] = await safe(apps.get(appId));
     if (error) return next(new HttpError(503, error.message));
+    if (!app) return next(new HttpError(503, 'Error getting app'));
 
-    if (!app.manifest.addons.proxyAuth.basicAuth) return next();
+    // if app supports bearer auth, pass it through to the app
+    if (req.headers.authorization.startsWith('Bearer ') && app.manifest.addons.proxyAuth.supportsBearerAuth) return next(new HttpSuccess(200, {}));
+
+    const credentials = basicAuth(req);
+    if (!credentials) return next();
+
+    if (!app.manifest.addons.proxyAuth.basicAuth) return next(); // this is a flag because this allows auth to bypass 2FA
 
     const verifyFunc = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
     const [verifyError, user] = await safe(verifyFunc(credentials.name, credentials.pass, appId));
@@ -139,7 +147,7 @@ function auth(req, res, next) {
     res.set('x-remote-email', req.user.email);
     res.set('x-remote-name', req.user.displayName);
 
-    return next(new HttpSuccess(200, {}));
+    next(new HttpSuccess(200, {}));
 }
 
 // endpoint called by login page, username and password posted as JSON body
@@ -243,7 +251,7 @@ function initializeAuthwallExpressSync() {
         .use(middleware.lastMile());
 
     router.get ('/login',     loginPage);
-    router.get ('/auth',      jwtVerify, basicAuthVerify, auth); // called by nginx before accessing protected page
+    router.get ('/auth',      jwtVerify, authorizationHeader, auth); // called by nginx before accessing protected page
     router.post('/login',     json, passwordAuth, authorize);
     router.get ('/logout',    logoutPage);
     router.post('/logout',    json, logoutPage);