diff --git a/app/controllers/auth.js b/app/controllers/auth.js
index 228da17..e15af27 100644
--- a/app/controllers/auth.js
+++ b/app/controllers/auth.js
@@ -31,6 +31,7 @@ class AuthController extends SiteController {
     this.dtp.app.use('/auth', router);
 
     const authRequired = this.dtp.services.session.authCheckMiddleware({ requireLogin: true });
+    const authRequiredNoRedirect = this.dtp.services.session.authCheckMiddleware({ requireLogin: true, useRedirect: false });
 
     router.post(
       '/otp/enable',
@@ -59,7 +60,7 @@ class AuthController extends SiteController {
 
     router.get(
       '/socket-token',
-      authRequired,
+      authRequiredNoRedirect,
       limiterService.create(limiterService.config.auth.getSocketToken),
       this.getSocketToken.bind(this),
     );
diff --git a/app/services/session.js b/app/services/session.js
index 9288d7c..4c84fec 100644
--- a/app/services/session.js
+++ b/app/services/session.js
@@ -46,14 +46,18 @@ class SessionService extends SiteService {
     options = Object.assign({
       requireLogin: true,
       requireAdmin: false,
+      useRedirect: true,
       loginUri: '/welcome/login',
     }, options);
     return async (req, res, next) => {
       if (options.requireLogin && !req.user) {
-        req.session.loginReturnTo = req.url;
-        await this.saveSession(req);
-        this.log.info('redirecting to login', { returnTo: req.url });
-        return res.redirect(options.loginUri);
+        if (options.useRedirect) {
+          req.session.loginReturnTo = req.url;
+          await this.saveSession(req);
+          this.log.info('redirecting to login', { returnTo: req.url });
+          return res.redirect(options.loginUri);
+        }
+        return next(new SiteError(403, 'Must sign in to continue'));
       }
       if (options.requireAdmin && (!req.user || !req.user.flags.isAdmin)) {
         return next(new SiteError(403, 'Administrator privileges are required'));