diff --git a/package-lock.json b/package-lock.json
index 4725a45..60797b2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "auth-server",
-  "version": "1.8.1",
+  "version": "1.8.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "auth-server",
-      "version": "1.8.1",
+      "version": "1.8.2",
       "license": "ISC",
       "dependencies": {
         "bcryptjs": "^2.4.3",
diff --git a/package.json b/package.json
index 44bb5f2..153cefb 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "auth-server",
-  "version": "1.8.1",
+  "version": "1.8.2",
   "description": "An API centric auth server. Uses Sequelize and mariaDB by default.",
   "main": "server/server.js",
   "scripts": {
diff --git a/server/auth/index.js b/server/auth/index.js
index 9fd6224..4ea687f 100644
--- a/server/auth/index.js
+++ b/server/auth/index.js
@@ -19,6 +19,9 @@ router.patch('/reset', require('./password-reset'));
 //logouts allowed when banned, and when the token itself is invalid
 router.delete('/logout', require('./logout'));
 
+//authenticate token
+router.use(tokenAuth);
+
 //middleware
 router.use(async (req, res, next) => {
 	const record = await accounts.findOne({
@@ -41,9 +44,6 @@ router.use(async (req, res, next) => {
 //refresh token
 router.post('/token', require('./token'));
 
-//authenticate token
-router.use(tokenAuth);
-
 //basic account management (needs a token)
 router.get('/account', require('./account-query'));
 router.patch('/account', require('./account-update'));