diff --git a/packages/server/src/api/controllers/routing.js b/packages/server/src/api/controllers/routing.js
index 8d96863593..f068291ac3 100644
--- a/packages/server/src/api/controllers/routing.js
+++ b/packages/server/src/api/controllers/routing.js
@@ -62,11 +62,10 @@ exports.fetch = async ctx => {
 
 exports.clientFetch = async ctx => {
   const routing = await getRoutingStructure(ctx.appId)
-  const accessLevelId = ctx.user.accessLevel._id
+  let accessLevelId = ctx.user.accessLevel._id
   // builder is a special case, always return the full routing structure
   if (accessLevelId === BUILTIN_LEVEL_IDS.BUILDER) {
-    ctx.body = routing
-    return
+    accessLevelId = BUILTIN_LEVEL_IDS.ADMIN
   }
   const accessLevelIds = await getUserAccessLevelHierarchy(
     ctx.appId,
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index b30e22f0e1..708b47c4f5 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -1,9 +1,9 @@
 const jwt = require("jsonwebtoken")
 const STATUS_CODES = require("../utilities/statusCodes")
-const { getAccessLevel } = require("../utilities/security/accessLevels")
+const { getAccessLevel, BUILTIN_LEVELS } = require("../utilities/security/accessLevels")
 const env = require("../environment")
 const { AuthTypes } = require("../constants")
-const { getAppId, getCookieName, setCookie } = require("../utilities")
+const { getAppId, getCookieName, setCookie, isClient } = require("../utilities")
 
 module.exports = async (ctx, next) => {
   if (ctx.path === "/_builder") {
@@ -21,17 +21,13 @@ module.exports = async (ctx, next) => {
     appId = cookieAppId
   }
 
-  const appToken = ctx.cookies.get(getCookieName(appId))
-  const builderToken = ctx.cookies.get(getCookieName())
-
   let token
-  // if running locally in the builder itself
-  if (!env.CLOUD && !appToken) {
-    token = builderToken
-    ctx.auth.authenticated = AuthTypes.BUILDER
-  } else {
-    token = appToken
+  if (isClient(ctx)) {
     ctx.auth.authenticated = AuthTypes.APP
+    token = ctx.cookies.get(getCookieName(appId))
+  } else {
+    ctx.auth.authenticated = AuthTypes.BUILDER
+    token = ctx.cookies.get(getCookieName())
   }
 
   if (!token) {
@@ -39,6 +35,7 @@ module.exports = async (ctx, next) => {
     ctx.appId = appId
     ctx.user = {
       appId,
+      accessLevel: BUILTIN_LEVELS.PUBLIC,
     }
     await next()
     return
diff --git a/packages/server/src/utilities/index.js b/packages/server/src/utilities/index.js
index 2a2ae81671..cde10b6b62 100644
--- a/packages/server/src/utilities/index.js
+++ b/packages/server/src/utilities/index.js
@@ -70,3 +70,7 @@ exports.setCookie = (ctx, name, value) => {
     overwrite: true,
   })
 }
+
+exports.isClient = ctx => {
+  return ctx.headers["x-budibase-type"] === "client"
+}
diff --git a/packages/server/src/utilities/security/accessLevels.js b/packages/server/src/utilities/security/accessLevels.js
index 578cd1e803..344dd20930 100644
--- a/packages/server/src/utilities/security/accessLevels.js
+++ b/packages/server/src/utilities/security/accessLevels.js
@@ -21,7 +21,7 @@ exports.BUILTIN_LEVELS = {
   ADMIN: new AccessLevel(BUILTIN_IDS.ADMIN, "Admin", BUILTIN_IDS.POWER),
   POWER: new AccessLevel(BUILTIN_IDS.POWER, "Power", BUILTIN_IDS.BASIC),
   BASIC: new AccessLevel(BUILTIN_IDS.BASIC, "Basic", BUILTIN_IDS.PUBLIC),
-  ANON: new AccessLevel(BUILTIN_IDS.PUBLIC, "Public"),
+  PUBLIC: new AccessLevel(BUILTIN_IDS.PUBLIC, "Public"),
   BUILDER: new AccessLevel(BUILTIN_IDS.BUILDER, "Builder"),
 }