diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php
index b74c134d0..e952fe9a2 100644
--- a/web/api/app/Controller/AppController.php
+++ b/web/api/app/Controller/AppController.php
@@ -66,11 +66,10 @@ class AppController extends Controller {
 
     # For use throughout the app. If not logged in, this will be null.
     global $user;
+    # This will auto-login if username=&password= are set, or auth=
+    require_once __DIR__ .'/../../../includes/auth.php';
    
     if ( ZM_OPT_USE_AUTH ) {
-      # This will auto-login if username=&password= are set, or auth=
-      require_once __DIR__ .'/../../../includes/auth.php';
-
       if ( ZM_OPT_USE_LEGACY_API_AUTH or !strcasecmp($this->params->action, 'login') ) {
         # This is here because historically we allowed user=&pass= in the api. web-ui auth uses username=&password=
         $username = $this->request->query('user') ? $this->request->query('user') : $this->request->data('user');