diff --git a/lib/auth.js b/lib/auth.js
index 7a44f360..664ff30c 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -7,9 +7,11 @@ import { secret } from 'lib/crypto';
 const log = debug('umami:auth');
 
 export function getAuthToken(req) {
-  const token = req.headers.authorization;
-
-  return token.split(' ')[1];
+  try {
+    return req.headers.authorization.split(' ')[1];
+  } catch {
+    return null;
+  }
 }
 
 export function parseAuthToken(req) {
diff --git a/lib/middleware.js b/lib/middleware.js
index 7473e81c..5660388e 100644
--- a/lib/middleware.js
+++ b/lib/middleware.js
@@ -26,24 +26,25 @@ export const useSession = createMiddleware(async (req, res, next) => {
 
 export const useAuth = createMiddleware(async (req, res, next) => {
   const token = getAuthToken(req);
-  const key = parseSecureToken(token, secret());
+  const payload = parseSecureToken(token, secret()) || {};
   const shareToken = await parseShareToken(req);
 
   let user;
+  const { userId, key } = payload;
 
-  if (validate(key)) {
-    user = await getUser({ id: key });
+  if (validate(userId)) {
+    user = await getUser({ id: userId });
   } else if (redis.enabled) {
     user = await redis.get(key);
   }
 
+  log({ token, payload, user, shareToken });
+
   if (!user && !shareToken) {
     log('useAuth:user-not-authorized');
     return unauthorized(res);
   }
 
-  log({ user, token, shareToken, key });
-
   req.auth = { user, token, shareToken, key };
   next();
 });