diff --git a/packages/builder/src/builderStore/api.js b/packages/builder/src/builderStore/api.js
index 0202c5e8ab..8b5206da93 100644
--- a/packages/builder/src/builderStore/api.js
+++ b/packages/builder/src/builderStore/api.js
@@ -20,6 +20,9 @@ export const get = apiCall("GET")
 export const patch = apiCall("PATCH")
 export const del = apiCall("DELETE")
 export const put = apiCall("PUT")
+export const getBuilderCookie = async () => {
+  await post("/api/builder/login", {})
+}
 
 export default {
   post: apiCall("POST"),
@@ -27,4 +30,5 @@ export default {
   patch: apiCall("PATCH"),
   delete: apiCall("DELETE"),
   put: apiCall("PUT"),
+  getBuilderCookie,
 }
diff --git a/packages/builder/src/builderStore/index.js b/packages/builder/src/builderStore/index.js
index 6fecda84c0..48f466169b 100644
--- a/packages/builder/src/builderStore/index.js
+++ b/packages/builder/src/builderStore/index.js
@@ -6,6 +6,7 @@ import { derived, writable } from "svelte/store"
 import analytics from "analytics"
 import { FrontendTypes, LAYOUT_NAMES } from "../constants"
 import { findComponent } from "./storeUtils"
+import { getBuilderCookie } from "./api"
 
 export const store = getFrontendStore()
 export const automationStore = getAutomationStore()
@@ -57,6 +58,8 @@ export const selectedAccessRole = writable("BASIC")
 
 export const initialise = async () => {
   try {
+    // TODO this needs to be replaced by a real login
+    await getBuilderCookie()
     await analytics.activate()
     analytics.captureEvent("Builder Started")
   } catch (err) {
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index fc486bcb50..b35b7f1cda 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -8,6 +8,7 @@ const { setCookie } = require("../../utilities")
 const { outputProcessing } = require("../../utilities/rowProcessor")
 const { ViewNames } = require("../../db/utils")
 const { UserStatus } = require("../../constants")
+const setBuilderToken = require("../../utilities/builder/setBuilderToken")
 
 const INVALID_ERR = "Invalid Credentials"
 
@@ -69,6 +70,11 @@ exports.authenticate = async ctx => {
   }
 }
 
+exports.builderLogin = async ctx => {
+  await setBuilderToken(ctx)
+  ctx.status = 200
+}
+
 exports.fetchSelf = async ctx => {
   const { userId, appId } = ctx.user
   /* istanbul ignore next */
diff --git a/packages/server/src/api/routes/auth.js b/packages/server/src/api/routes/auth.js
index ae640952ed..0661672968 100644
--- a/packages/server/src/api/routes/auth.js
+++ b/packages/server/src/api/routes/auth.js
@@ -1,9 +1,13 @@
 const Router = require("@koa/router")
 const controller = require("../controllers/auth")
+const authorized = require("../../middleware/authorized")
+const { BUILDER } = require("../../utilities/security/permissions")
 
 const router = Router()
 
 router.post("/api/authenticate", controller.authenticate)
+// TODO: this is a hack simply to make sure builder has a cookie until auth reworked
+router.post("/api/builder/login", authorized(BUILDER), controller.builderLogin)
 // doesn't need authorization as can only fetch info about self
 router.get("/api/self", controller.fetchSelf)
 
diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js
index dcd91bfdb4..554f281d8c 100644
--- a/packages/server/src/middleware/authorized.js
+++ b/packages/server/src/middleware/authorized.js
@@ -42,11 +42,6 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => {
   const isAdmin = ADMIN_ROLES.includes(role._id)
   const isAuthed = ctx.auth.authenticated
 
-  // TODO: this was added while we work towards a better auth method
-  if (permType === PermissionTypes.BUILDER) {
-    return next()
-  }
-
   const { basePermissions, permissions } = await getUserPermissions(
     ctx.appId,
     role._id
diff --git a/packages/server/src/middleware/tests/authorized.spec.js b/packages/server/src/middleware/tests/authorized.spec.js
index e4f34381a0..234db96d78 100644
--- a/packages/server/src/middleware/tests/authorized.spec.js
+++ b/packages/server/src/middleware/tests/authorized.spec.js
@@ -143,9 +143,8 @@ describe("Authorization middleware", () => {
 
       expect(config.next).toHaveBeenCalled()
     })
-
-    // TODO: this has been skipped while auth is still in flux
-    xit("throws if the user has only builder permissions", async () => {
+    
+    it("throws if the user has only builder permissions", async () => {
       config.setEnvironment(false)
       config.setMiddlewareRequiredPermission(PermissionTypes.BUILDER)
       config.setUser({