diff --git a/api-server/server/middlewares/jwt-authorizaion.test.js b/api-server/server/middlewares/jwt-authorizaion.test.js
new file mode 100644
index 0000000000..98b497f886
--- /dev/null
+++ b/api-server/server/middlewares/jwt-authorizaion.test.js
@@ -0,0 +1,29 @@
+import { isWhiteListedPath } from './jwt-authorization';
+
+describe('jwt-authorization', () => {
+  describe('isWhiteListedPath', () => {
+    const whiteList = [/^\/is-ok\//, /^\/this-is\/also\/ok\//];
+
+    it('returns a boolean', () => {
+      const result = isWhiteListedPath();
+
+      expect(typeof result).toBe('boolean');
+    });
+
+    it('returns true for a white listed path', () => {
+      expect.assertions(2);
+
+      const resultA = isWhiteListedPath('/is-ok/should-be/good', whiteList);
+      const resultB = isWhiteListedPath('/this-is/also/ok/surely', whiteList);
+      expect(resultA).toBe(true);
+      expect(resultB).toBe(true);
+    });
+
+    it('returns false for a non-white-listed path', () => {
+      const result = isWhiteListedPath('/hax0r-42/no-go', whiteList);
+      expect(result).toBe(false);
+    });
+  });
+
+  xdescribe('authorizeByJWT')
+});
diff --git a/api-server/server/middlewares/jwt-authorization.js b/api-server/server/middlewares/jwt-authorization.js
index 3379446b83..2ba1864ecb 100644
--- a/api-server/server/middlewares/jwt-authorization.js
+++ b/api-server/server/middlewares/jwt-authorization.js
@@ -8,12 +8,23 @@ import { wrapHandledError } from '../utils/create-handled-error';
 
 // We need to tunnel through a proxy path set up within
 // the gatsby app, at this time, that path is /internal
-export const apiProxyRE = /^\/internal\/|^\/external\//;
-export const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
+const apiProxyRE = /^\/internal\/|^\/external\//;
+const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
+const loopbackAPIPathRE = /^\/internal\/api\//;
+
+const _whiteListREs = [
+  newsShortLinksRE,
+  loopbackAPIPathRE
+];
+
+export function isWhiteListedPath(path, whiteListREs= _whiteListREs) {
+  return whiteListREs.some(re => re.test(path))
+}
 
 
 export default () => function authorizeByJWT(req, res, next) {
-  if (apiProxyRE.test(req.path) && !newsShortLinksRE.test(req.path)) {
+  const { path } = req;
+  if (apiProxyRE.test(path) && !isWhiteListedPath(path)) {
     const cookie = req.signedCookies && req.signedCookies['jwt_access_token'] ||
       req.cookie && req.cookie['jwt_access_token'];