diff --git a/api/src/core/api.js b/api/src/core/api.js
index 51ec1697..fdd13ce1 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -105,6 +105,18 @@ export const runAPI = (express, app, __dirname) => {
     app.post('/', apiLimiter);
     app.use('/tunnel', apiLimiterStream);
 
+    app.post('/', (req, res, next) => {
+        if (!acceptRegex.test(req.header('Accept'))) {
+            return fail(res, "error.api.header.accept");
+        }
+
+        if (!acceptRegex.test(req.header('Content-Type'))) {
+            return fail(res, "error.api.header.content_type");
+        }
+
+        next();
+    });
+
     app.post('/', (req, res, next) => {
         if (!env.turnstileSecret || !env.jwtSecret) {
             return next();
@@ -128,14 +140,6 @@ export const runAPI = (express, app, __dirname) => {
                 return fail(res, "error.api.auth.jwt.invalid");
             }
 
-            if (!acceptRegex.test(req.header('Accept'))) {
-                return fail(res, "error.api.header.accept");
-            }
-
-            if (!acceptRegex.test(req.header('Content-Type'))) {
-                return fail(res, "error.api.header.content_type");
-            }
-
             req.authorized = true;
         } catch {
             return fail(res, "error.api.generic");